CVE-2021-45230

CWE-269Improper Privilege Management5 documents4 sources
Severity
6.5MEDIUM
EPSS
1.8%
top 17.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedJan 20
Latest updateJan 28

Description

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDapache/airflow2.0.02.2.0+1
PyPIapache-airflow1.10.02.0.0b1+2
CVEListV5apache_software_foundation/apache_airflowApache Airflow 22.2.0+1

🔴Vulnerability Details

4
GHSA
Improper Privilege Management in apache-airflow2022-01-28
OSV
Improper Privilege Management in apache-airflow2022-01-28
CVEList
Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver2022-01-20
OSV
CVE-2021-45230: In Apache Airflow prior to 22022-01-20
CVE-2021-45230 (MEDIUM CVSS 6.5) | In Apache Airflow prior to 2.2.0 | cvebase.io