CVE-2020-13927 — CRITICAL (9.8)

Q: How severe is CVE-2020-13927?

CVE-2020-13927 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-13927?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.

Vulnerability Description

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Airflow	< 1.10.11

Related Weaknesses (CWE)

CWE-1188 CWE-1056 CWE-306

References

http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-EExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-EExploitThird Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7Mailing ListVendor Advisory
http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-EExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-EExploitThird Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7Mailing ListVendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2020-13927?

CVE-2020-13927 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the de...

How severe is CVE-2020-13927?

CVE-2020-13927 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-13927?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.