airflow-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaxil Naik <kaxiln...@apache.org>
Subject CVE-2021-26559: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API
Date Wed, 17 Feb 2021 12:59:10 GMT
Hi Airflow community,

Please find below the information about a vulnerability which has been
addressed in Apache Airflow v2.0.1:

*CVE-2021-26559: CWE-284 Improper Access Control on Configurations Endpoint
for the Stable API*

*Description*:
Improper Access Control on Configurations Endpoint for the Stable API of
Apache Airflow allows users with Viewer or User role to get Airflow
Configurations including sensitive information even when `[webserver]
expose_config` is set to `False` in `airflow.cfg`.

This allowed a privilege escalation attack.

This issue affects *Apache Airflow 2.0.0*.


*Mitigation:*Upgrade to Airflow 2.0.1 or remove `can read on
Configurations` permission from the roles like Viewer and Users if you want
to restrict users with those roles to view configurations in 2.0.0.

*Credits*:

Apache Airflow would like to thank Ian Carroll for reporting this issue.



Thanks.
Kaxil @ Airflow PMC

Mime
View raw message