Missing Authentication for Critical Function
CVE-2021-38540
Summary
The variable import endpoint was not protected by authentication in Airflow >=2.0.0b1, <2.1.3rc1. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0b1, <2.1.3rc1.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-306 - Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
References
Advisory Timeline
- Published
