[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-38540: Apache Airflow: Variable Import endpoint missed authentication check
From: Kaxil Naik <kaxilnaik () apache ! org>
Date: 2021-09-09 11:22:49
Message-ID: e2aab54c-0042-d9fd-7df6-386cb1b498e1 () apache ! org
[Download RAW message or body]
Description:
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. \
This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in \
DAGs, potentially resulting in a denial of service, information disclosure or remote code \
execution.
This issue affects Apache Airflow >=2.0.0, <2.1.3.
Credit:
Apache Airflow would like to thank Nathan Jones, National Australia Bank's Offensive Security \
Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic