apache_airflow is vulnerable to privilege escalation. Users with Viewer or User role are able to access sensitive information as it does not enforce a proper access control on Configurations Endpoint for the Stable API even if [webserver] expose_config
is set to False in airflow.cfg
.
www.openwall.com/lists/oss-security/2021/02/17/1
github.com/advisories/GHSA-ffw3-6mp6-jmvj
github.com/apache/airflow/blob/486b76438c0679682cf98cb88ed39c4b161cbcc8/CHANGELOG.txt#L11
github.com/apache/airflow/commit/1b94346fbeca619f3084d05bdc5358836ed02318
github.com/apache/airflow/pull/13377
lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E