CVE-2021-26559 — MEDIUM (6.5)

Vulnerability Description

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Airflow	2.0.0

Related Weaknesses (CWE)

CWE-284

References

http://www.openwall.com/lists/oss-security/2021/02/17/1Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a1Mailing ListVendor Advisory
https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160
http://www.openwall.com/lists/oss-security/2021/02/17/1Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a1Mailing ListVendor Advisory
https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160

FAQ

What is CVE-2021-26559?

CVE-2021-26559 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[...

How severe is CVE-2021-26559?

CVE-2021-26559 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-26559?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.