Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Aug 2021 12:20:03 +0000
From: Kaxil Naik <>
Subject: CVE-2021-35936: Apache Airflow: No Authentication on Logging


If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on by default.
This logging server had no authentication and allows reading log files of DAG jobs.

This issue affects Apache Airflow < 2.1.2.


Use remote logging with GCS, S3, Elasticsearch etc. This is recommended for production environments.

And do not publicly expose any other ports apart from Webserver port, Flower port etc.


Apache Airflow would like to thank Dolev Farhi for reporting this issue.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.