First published: Thu Sep 09 2021(Updated: )
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
pip/apache-airflow | >=2.0.0<2.1.3 | 2.1.3 |
Apache Airflow | >=2.0.0<2.1.3 | |
>=2.0.0<2.1.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-38540 is a vulnerability in Apache Airflow that allows unauthenticated users to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure, or remote code execution.
CVE-2021-38540 has a severity rating of 9.8, which is classified as critical.
CVE-2021-38540 allows unauthenticated users to hit the variable import endpoint in Airflow, which can lead to various security risks such as denial of service, information disclosure, or remote code execution.
To fix CVE-2021-38540, upgrade your Apache Airflow installation to version 2.1.3 or later.
More information about CVE-2021-38540 can be found at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-38540), [Apache mailing list](https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2@%3Cannounce.apache.org%3E), [Airflow mailing list](https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E).