CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API

[Kaxil Naik <kaxilnaik () apache org>]

Versions Affected: 2.0.0

*Description*:

Improper Access Control on Configurations Endpoint for the Stable API
of Apache Airflow allows users with Viewer or User role to get Airflow
Configurations including sensitive information even when `[webserver]
expose_config` is set to `False` in `airflow.cfg`.

This allowed a privilege escalation attack.

This issue affects Apache Airflow 2.0.0.


*Mitigation*:

Upgrade to Airflow 2.0.1 or remove `can read on Configurations`
permission from the roles like Viewer and Users if you want to
restrict users with those roles to view configurations in 2.0.0.


*Credit*:
Apache Airflow would like to thank Ian Carroll for reporting this issue.

Thanks,
Kaxil,
on behalf of Apache Airflow PMC