Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZoMzctY3g4My1xNTQy

Improper Authentication in Apache Airflow

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue only affects Apache Airflow 2.0.0.

Permalink: https://github.com/advisories/GHSA-fh37-cx83-q542
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZoMzctY3g4My1xNTQy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 1 month ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-fh37-cx83-q542, CVE-2021-26697
References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-26697
• https://github.com/apache/airflow/commit/21cedff205e7d62675949fda2aa4616d77232b76
• https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E
• https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
• https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E
• https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E
• http://www.openwall.com/lists/oss-security/2021/02/17/2
• https://github.com/apache/airflow/commit/24a54242d56058846c7978130b3f37ca045d5142
• https://github.com/apache/airflow/commit/93957e917ff4cfb0be11aef088bd9527cf728a04
• https://github.com/advisories/GHSA-fh37-cx83-q542

Repository: https://github.com/apache/airflow
Blast Radius: 16.9

Affected Packages