You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Jarek Potiuk <po...@apache.org> on 2021/06/18 10:35:40 UTC

Apache Airflow CVE: CVE-2021-29621: User enumeration in database authentication in Flask-AppBuilder <= 3.2.3.

Please find below the information about a vulnerability which has been
addressed in Apache Airflow 2.1.0.

Description:  Allows for a non authenticated user to enumerate
existing accounts by timing the response time from the server when you
are logging in.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29621

Airflow 1.10 reached end of life and this vulnerability will not be
addressed in 1.10.* series. We advise everyone to migrate to Airflow
2.1+.

Credits:
Dolev Farhi

Thanks.
Jarek @ Airflow PMC