Описание
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
Ссылки
- Mailing ListVendor Advisory
- Mailing ListVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.0.0 (включая) до 2.1.3 (исключая)
cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
EPSS
Процентиль: 100%
0.90036
Критический
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-269
CWE-306
Связанные уязвимости
CVSS3: 9.8
debian
больше 4 лет назад
The variable import endpoint was not protected by authentication in Ai ...
CVSS3: 9.8
github
больше 3 лет назад
Missing Authentication for Critical Function in Apache Airflow
EPSS
Процентиль: 100%
0.90036
Критический
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-269
CWE-306