GHSA-h88f-r7cw-8fv3

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h88f-r7cw-8fv3/GHSA-h88f-r7cw-8fv3.json
Aliases
  • CVE-2021-38540
Published
2022-05-24T19:14:00Z
Modified
2022-06-21T20:30:38.257028Z
Details

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

References

Affected packages

PyPI / apache-airflow

apache-airflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.3

Affected versions

2.*

2.0.0
2.0.1
2.0.1rc1
2.0.1rc2
2.0.2
2.0.2rc1
2.1.0
2.1.0rc1
2.1.0rc2
2.1.1
2.1.1rc1
2.1.2
2.1.2rc1
2.1.3rc1

Database specific

{
    "last_known_affected_version_range": "<= 2.1.2"
}