PT-2021-17095 · Apache · Apache Airflow
Ian Carroll
·
Published
2021-02-17
·
Updated
2024-03-06
·
CVE-2021-26697
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow version 2.0.0
Description
The issue concerns the lineage endpoint of the deprecated Experimental API in Apache Airflow, which was not protected by authentication. This allowed unauthenticated users to access the endpoint. The attacker needs to be aware of certain parameters to pass to the endpoint, and even then, they can only obtain some metadata about a DAG and a Task. This is considered a low-severity issue.
Recommendations
For Apache Airflow version 2.0.0, consider disabling access to the lineage endpoint of the deprecated Experimental API until a patch is available. Restricting access to this endpoint can minimize the risk of exploitation. Additionally, be cautious when using the endpoint, as it may allow unauthorized access to certain metadata. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Improper Privilege Management
Improper Authentication
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Airflow