You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@airflow.apache.org by Kaxil Naik <ka...@gmail.com> on 2022/01/19 14:04:54 UTC

CVE-2021-45230: Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver

Hi, Airflow community,

Please find below the information about a vulnerability that has been
addressed in Apache Airflow v2.2.0+:

*Description*:
This CVE applies to a specific case where a User who has "can_create"
permissions on DAG Runs can create Dag Runs for dags that they don't
have "edit" permissions for.

This is a very low severity CVE and admins can mitigate this issue by
removing the global "can_create" permissions on DagRun for Airflow
versions >=2.0.0,<2.2.0 and 1.10.x versions that have set `rbac=True`
in config.
*Credit*:
Apache Airflow PMC would like to thank Franco Cano Erazo for reporting
this issue.


Thanks.
Kaxil @ Airflow PMC