[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-38540: Apache Airflow: Variable Import endpoint missed authentication check
From:       Kaxil Naik <kaxilnaik () apache ! org>
Date:       2021-09-09 11:22:49
Message-ID: e2aab54c-0042-d9fd-7df6-386cb1b498e1 () apache ! org
[Download RAW message or body]

Description:

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. \
This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in \
DAGs, potentially resulting in a denial of service, information disclosure or remote code \
execution.

This issue affects Apache Airflow >=2.0.0, <2.1.3.

Credit:

Apache Airflow would like to thank Nathan Jones, National Australia Bank's Offensive Security \
Team


[prev in list] [next in list] [prev in thread] [next in thread]