CVE-2021-35936
published 2021-08-16CVE-2021-35936: If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is…
medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | airflow | < 2.1.2 | 2.1.2 |
| apache_software_foundation | apache_airflow | >= Apache Airflow < 2.1.2 | 2.1.2 |