CVE-2021-35936 — Sensitive Information Exposure in Software Foundation Apache Airflow

CWE-200 — Sensitive Information Exposure CWE-306 — Missing Authentication for Critical Function CWE-862 — Missing Authorization5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

1.9%

top 16.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedAug 16

Latest updateAug 30

Description

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/airflow< 2.1.2

▶CVEListV5apache_software_foundation/apache_airflowApache Airflow — 2.1.2

🔴Vulnerability Details

GHSA

Missing Authorization in Apache Airflow↗2021-08-30

▶

OSV

Missing Authorization in Apache Airflow↗2021-08-30

▶

CVEList

No Authentication on Logging Server↗2021-08-16

▶

OSV

CVE-2021-35936: If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server↗2021-08-16

▶