First published: Mon Aug 16 2021(Updated: )
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | <2.1.2 | |
pip/apache-airflow | <2.1.2 | 2.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-35936 is a vulnerability in Apache Airflow that allows unauthorized users to read log files of the worker or scheduler.
CVE-2021-35936 affects Apache Airflow versions up to 2.1.2.
CVE-2021-35936 has a severity rating of 5.3, which is considered medium.
The Common Weakness Enumeration (CWE) IDs for CVE-2021-35936 are CWE-306 and CWE-200.
A fix for CVE-2021-35936 is not available at the moment. It is recommended to use remote logging or apply other mitigations to protect against this vulnerability.