Improper Access Control in Apache Airflow
High severity
GitHub Reviewed
Published
Apr 7, 2021
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Feb 17, 2021
Reviewed
Apr 1, 2021
Published to the GitHub Advisory Database
Apr 7, 2021
Last updated
Nov 18, 2024
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when
[webserver] expose_config
is set toFalse
inairflow.cfg
. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.References