CVE-2021-26697 — Improper Privilege Management in Software Foundation Apache Airflow

CWE-269 — Improper Privilege Management CWE-306 — Missing Authentication for Critical Function CWE-287 — Improper Authentication5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

2.5%

top 14.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedFeb 17

Latest updateJun 18

Description

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/airflow2.0.0

▶CVEListV5apache_software_foundation/apache_airflowApache Airflow 2.0.0

🔴Vulnerability Details

GHSA

Improper Authentication in Apache Airflow↗2021-06-18

▶

OSV

Improper Authentication in Apache Airflow↗2021-06-18

▶

OSV

CVE-2021-26697: The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2↗2021-02-17

▶

CVEList

Apache Airflow: Lineage API endpoint for Experimental API missed authentication check↗2021-02-17

▶