Date: Wed, 17 Feb 2021 13:15:33 +0000 From: Kaxil Naik <kaxilnaik@...che.org> To: oss-security@...ts.openwall.com Cc: users@...flow.apache.org Subject: CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API Versions Affected: 2.0.0 *Description*: Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0. *Mitigation*: Upgrade to Airflow 2.0.1 or remove `can read on Configurations` permission from the roles like Viewer and Users if you want to restrict users with those roles to view configurations in 2.0.0. *Credit*: Apache Airflow would like to thank Ian Carroll for reporting this issue. Thanks, Kaxil, on behalf of Apache Airflow PMC
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.