First published: Wed Feb 17 2021(Updated: )
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | =2.0.0 | |
pip/apache-airflow | =2.0.0 | 2.0.1rc1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2021-26697.
The title of this vulnerability is 'The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0.'
The severity of CVE-2021-26697 is medium with a CVSS score of 5.3.
Apache Airflow version 2.0.0 is affected by CVE-2021-26697.
To fix the vulnerability, it is recommended to upgrade to a version of Apache Airflow that includes the necessary authentication protection for the lineage endpoint.