You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@airflow.apache.org by Kaxil Naik <ka...@apache.org> on 2021/02/17 14:02:50 UTC

CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check

Hi Airflow community,

Please find below the information about a vulnerability which has been
addressed in Apache Airflow v2.0.1:

*CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API
missed authentication check*

*Description*:
The lineage endpoint of the deprecated Experimental API was not protected
by authentication in Airflow 2.0.0. This allowed unauthenticated users to
hit that endpoint.

This is low-severity CVE as the attacker needs to be aware of certain
parameters to pass to that endpoint and even after can just get some
metadata about a DAG and a Task.

This issue affects Apache Airflow 2.0.0. Upgrade to Airflow 2.0.1 to
mitigate this issue.

This does not affect users who have changed the default value for
`[webserver] secret_key` config.


*Credits*:

Apache Airflow would like to thank Ian Carroll for reporting this issue.



Thanks.
Kaxil @ Airflow PMC