oss-sec mailing list archives
CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API
From: Kaxil Naik <kaxilnaik () apache org>
Date: Wed, 17 Feb 2021 13:15:33 +0000
Versions Affected: 2.0.0 *Description*: Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0. *Mitigation*: Upgrade to Airflow 2.0.1 or remove `can read on Configurations` permission from the roles like Viewer and Users if you want to restrict users with those roles to view configurations in 2.0.0. *Credit*: Apache Airflow would like to thank Ian Carroll for reporting this issue. Thanks, Kaxil, on behalf of Apache Airflow PMC
Current thread:
- CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API Kaxil Naik (Feb 17)