CVE-2021-26559
MEDIUM6.5EPSS 0.56%CWE-284 Improper Access Control on Configurations Endpoint for the Stable API
Published: 4/7/2021Modified: 5/20/2025
Description
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.
Affected packages (3)
- Bitnami/airflow>= 2.0.0, < 2.0.1
- PyPI/apache-airflow>= 2.0.0, < 2.0.1rc1
- PyPI/apache-airflowfrom 0, < 2.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (11)
- ADVISORYhttps://github.com/advisories/GHSA-ffw3-6mp6-jmvj
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-26559
- PATCHhttps://github.com/apache/airflow
- WEBhttps://github.com/apache/airflow/blob/486b76438c0679682cf98cb88ed39c4b161cbcc8/CHANGELOG.txt
- WEBhttps://github.com/apache/airflow/commit/3909232fafd09ac72b49010ecdfd6ea48f06d5cf
- WEBhttps://github.com/apache/airflow/commit/5e35926c7eda0dfa11a9623e4bf5f60c2bd6b3f6
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-2.yaml
- WEBhttps://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E
- WEBhttp://www.openwall.com/lists/oss-security/2021/02/17/1