GHSA-fh37-cx83-q542

Source

https://github.com/advisories/GHSA-fh37-cx83-q542

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fh37-cx83-q542

Aliases

Published

2021-06-18T18:30:11Z

Modified

2024-09-12T20:10:22Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Improper Authentication in Apache Airflow

Details

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue only affects Apache Airflow 2.0.0.

Database specific

{
    "nvd_published_at": "2021-02-17T15:15:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2021-05-07T21:48:45Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-269",
        "CWE-287",
        "CWE-306"
    ]
}

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.1rc1

Affected versions

2.*

2.0.0