CVE-2021-26559 — Improper Access Control in Software Foundation Apache Airflow

CWE-284 — Improper Access Control CWE-269 — Improper Privilege Management5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.6%

top 31.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedFeb 17

Latest updateApr 7

Description

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/airflow2.0.0

▶CVEListV5apache_software_foundation/apache_airflowApache Airflow 2.0.0

🔴Vulnerability Details

OSV

Improper Access Control in Apache Airflow↗2021-04-07

▶

GHSA

Improper Access Control in Apache Airflow↗2021-04-07

▶

OSV

CVE-2021-26559: Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configura↗2021-02-17

▶

CVEList

CWE-284 Improper Access Control on Configurations Endpoint for the Stable API↗2021-02-17

▶