airflow-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaxil Naik <kaxiln...@apache.org>
Subject CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check
Date Wed, 17 Feb 2021 14:02:50 GMT
Hi Airflow community,

Please find below the information about a vulnerability which has been
addressed in Apache Airflow v2.0.1:

*CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API
missed authentication check*

*Description*:
The lineage endpoint of the deprecated Experimental API was not protected
by authentication in Airflow 2.0.0. This allowed unauthenticated users to
hit that endpoint.

This is low-severity CVE as the attacker needs to be aware of certain
parameters to pass to that endpoint and even after can just get some
metadata about a DAG and a Task.

This issue affects Apache Airflow 2.0.0. Upgrade to Airflow 2.0.1 to
mitigate this issue.

This does not affect users who have changed the default value for
`[webserver] secret_key` config.


*Credits*:

Apache Airflow would like to thank Ian Carroll for reporting this issue.



Thanks.
Kaxil @ Airflow PMC

Mime
View raw message