You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Jarek Potiuk <po...@apache.org> on 2021/06/18 10:35:40 UTC
Apache Airflow CVE: CVE-2021-29621: User enumeration in database
authentication in Flask-AppBuilder <= 3.2.3.
Please find below the information about a vulnerability which has been
addressed in Apache Airflow 2.1.0.
Description: Allows for a non authenticated user to enumerate
existing accounts by timing the response time from the server when you
are logging in.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29621
Airflow 1.10 reached end of life and this vulnerability will not be
addressed in 1.10.* series. We advise everyone to migrate to Airflow
2.1+.
Credits:
Dolev Farhi
Thanks.
Jarek @ Airflow PMC