Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Airflow

Affected Versions:

Apache Airflow 2.0.0

References

https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E

http://www.openwall.com/lists/oss-security/2021/02/17/1

https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E

Published: 2021-02-17T14:15:14.000Z

Last Modified: 2025-02-13T16:27:54.002Z

Copied to clipboard!