5 matches found
CVE-2021-35936
If remote logging is not used, the worker in the case of CeleryExecutor or the scheduler in the case of LocalExecutor runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG...
acceldata-o2a (=1.0.0), acryl-datahub-airflow-plugin (>=0.9.5.1rc1 <=1.3.1.post1) +119 more potentially affected by CVE-2021-35936 via apache-airflow (>=1.8.2 <=2.1.1)
apache-airflow PYPI version =1.8.2, =0.9.5.1rc1, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.4.0, =0.1.0a1, =0.6.0, =0.1.1, =0.1.1, =0.10.2, =0.11.0 - airflow-ditto =0.0.1.2 and more Source cves: CVE-2021-35936 Source advisory: OSV:GHSA-M6H2-JX9V-58W6...
acceldata-o2a (=1.0.0), acryl-datahub-airflow-plugin (>=0.9.5.1rc1 <=1.3.1.post1) +119 more potentially affected by CVE-2021-35936 via apache-airflow (>=1.8.2 <=2.1.1)
apache-airflow PYPI version =1.8.2, =0.9.5.1rc1, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.4.0, =0.1.0a1, =0.6.0, =0.1.1, =0.1.1, =0.10.2, =0.11.0 - airflow-ditto =0.0.1.2 and more Source cves: CVE-2021-35936 Source advisory: OSV:PYSEC-2021-122...
CVE-2021-35936
Apache Airflow CVE-2021-35936 affects versions older than 2.1.2. When remote logging is not used, the worker (CeleryExecutor) or the scheduler (LocalExecutor) spins up a Flask logging server that binds to 0.0.0.0 on a specific port and lacks authentication, allowing reads of DAG job log files. Th...
CVE-2021-35936 No Authentication on Logging Server
If remote logging is not used, the worker in the case of CeleryExecutor or the scheduler in the case of LocalExecutor runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG...