Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW02aDItang5di01OHc2

Moderate CVSS: 5.3 EPSS: 0.00113% (0.30766 Percentile) EPSS:
Permalink JSON

Missing Authorization in Apache Airflow

Affected Packages Affected Versions Fixed Versions
pypi:apache-airflow < 2.1.2 2.1.2
314 Dependent packages
1,554 Dependent repositories
15,393,544 Downloads last month

Affected Version Ranges

All affected versions

1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1

All unaffected versions

2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.

References:

Identifiers

GHSA-m6h2-jx9v-58w6

CVE-2021-35936

Risk

Severity

Moderate

CVSS

CVSS Score: 5.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00113

EPSS Percentile: 0.30766

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/airflow

Date and time

Published

almost 4 years ago

Updated

11 months ago

API

JSON