Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAH5JyZq+Jr3Y8FdHhJ_axMN-a97aBLmnDzCAV4OdR0u8e9=SeQ@mail.gmail.com>
Date: Wed, 17 Feb 2021 13:15:33 +0000
From: Kaxil Naik <kaxilnaik@...che.org>
To: oss-security@...ts.openwall.com
Cc: users@...flow.apache.org
Subject: CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations
 Endpoint for the Stable API

Versions Affected: 2.0.0

*Description*:

Improper Access Control on Configurations Endpoint for the Stable API
of Apache Airflow allows users with Viewer or User role to get Airflow
Configurations including sensitive information even when `[webserver]
expose_config` is set to `False` in `airflow.cfg`.

This allowed a privilege escalation attack.

This issue affects Apache Airflow 2.0.0.


*Mitigation*:

Upgrade to Airflow 2.0.1 or remove `can read on Configurations`
permission from the roles like Viewer and Users if you want to
restrict users with those roles to view configurations in 2.0.0.


*Credit*:
Apache Airflow would like to thank Ian Carroll for reporting this issue.

Thanks,
Kaxil,
on behalf of Apache Airflow PMC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.