CVE-2021-26559

Опубликовано: 17 фев. 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when [webserver] expose_config is set to False in airflow.cfg. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

Ссылки

http://www.openwall.com/lists/oss-security/2021/02/17/1
Mailing List
Third Party Advisory
https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
Mailing List
Vendor Advisory
https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/02/17/1
Mailing List
Third Party Advisory
https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
Mailing List
Vendor Advisory
https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 68%

0.00557

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-284

NVD-CWE-Other

Связанные уязвимости

CVE-2021-26559

CVSS3: 6.5

debian

почти 5 лет назад

Improper Access Control on Configurations Endpoint for the Stable API ...

GHSA-ffw3-6mp6-jmvj

CVSS3: 6.5

github

почти 5 лет назад

Improper Access Control in Apache Airflow

EPSS

Процентиль: 68%

0.00557

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-284

NVD-CWE-Other