oss-sec mailing list archives
CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check
From: Kaxil Naik <kaxilnaik () gmail com>
Date: Wed, 17 Feb 2021 14:09:11 +0000
Description: The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity CVE as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0. Credit: Apache Airflow would like to thank Ian Carroll for reporting this issue. References: https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
Current thread:
- CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check Kaxil Naik (Feb 17)