CVE-2021-38540
First published: Thu Sep 09 2021(Updated: )
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/apache-airflow | >=2.0.0<2.1.3 | 2.1.3 |
| Apache Airflow | >=2.0.0<2.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-38540
- https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E
- https://github.com/apache/airflow/commit/bcec1df703cd4a01520a90c3f801cca6f97d9bfd
- https://github.com/advisories/GHSA-h88f-r7cw-8fv3 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-326.yaml
Frequently Asked Questions
What is CVE-2021-38540?
CVE-2021-38540 is a vulnerability in Apache Airflow that allows unauthenticated users to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure, or remote code execution.
What is the severity of CVE-2021-38540?
CVE-2021-38540 has a severity rating of 9.8, which is classified as critical.
How does CVE-2021-38540 impact Airflow?
CVE-2021-38540 allows unauthenticated users to hit the variable import endpoint in Airflow, which can lead to various security risks such as denial of service, information disclosure, or remote code execution.
How can I fix CVE-2021-38540?
To fix CVE-2021-38540, upgrade your Apache Airflow installation to version 2.1.3 or later.
Where can I find more information about CVE-2021-38540?
More information about CVE-2021-38540 can be found at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-38540), [Apache mailing list](https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2@%3Cannounce.apache.org%3E), [Airflow mailing list](https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E).
- collector/github-advisory-latest
- alias/GHSA-h88f-r7cw-8fv3
- alias/CVE-2021-38540
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/references
- agent/event
- agent/type
- agent/description
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- package-manager/pip
- vendor/apache
- canonical/apache airflow
- version/apache airflow/2.0.0