[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configuratio
From: Kaxil Naik <kaxilnaik () apache ! org>
Date: 2021-02-17 13:15:33
Message-ID: CAH5JyZq+Jr3Y8FdHhJ_axMN-a97aBLmnDzCAV4OdR0u8e9=SeQ () mail ! gmail ! com
[Download RAW message or body]
Versions Affected: 2.0.0
*Description*:
Improper Access Control on Configurations Endpoint for the Stable API
of Apache Airflow allows users with Viewer or User role to get Airflow
Configurations including sensitive information even when `[webserver]
expose_config` is set to `False` in `airflow.cfg`.
This allowed a privilege escalation attack.
This issue affects Apache Airflow 2.0.0.
*Mitigation*:
Upgrade to Airflow 2.0.1 or remove `can read on Configurations`
permission from the roles like Viewer and Users if you want to
restrict users with those roles to view configurations in 2.0.0.
*Credit*:
Apache Airflow would like to thank Ian Carroll for reporting this issue.
Thanks,
Kaxil,
on behalf of Apache Airflow PMC
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic