Improper Authentication Affecting apache-airflow package, versions [2.0.0, 2.0.1rc1)
Threat Intelligence
EPSS
0.75% (82nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-APACHEAIRFLOW-1076591
- published 18 Feb 2021
- disclosed 18 Feb 2021
- credit Unknown
Introduced: 18 Feb 2021
CVE-2021-26697 Open this link in a new tabHow to fix?
Upgrade apache-airflow
to version 2.0.1rc1 or higher.
Overview
apache-airflow is a platform to programmatically author, schedule, and monitor workflows.
Affected versions of this package are vulnerable to Improper Authentication. The lineage endpoint of the deprecated Experimental API was not protected by authentication. This allowed unauthenticated users to hit that endpoint.This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task.
References
CVSS Scores
version 3.1