====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN106
_____________________________________________________________________

DATE                : 19/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Apache Airflow versions prior to
                                           2.0.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202102.mbox/%3cpony-762f1fed708bdb04af3f52cafbce77c382effa7a-7910aaa4c84fa213ef8f92bca5f1aa07f1235e64@announce.apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202102.mbox/%3cpony-762f1fed708bdb04af3f52cafbce77c382effa7a-99f48f071c67417c636b3ddff8f829877178d34b@announce.apache.org%3e
_____________________________________________________________________

CVE-2021-26559: Apache Airflow: CWE-284 Privilege Escalation Attack


Software: Apache Airflow

Versions Affected: 2.0.0

*Description*:

Improper Access Control on Configurations Endpoint for the Stable API
of Apache Airflow allows users with Viewer or User role to get Airflow
Configurations including sensitive information even when `[webserver]
expose_config` is set to `False` in `airflow.cfg`.

This allowed a privilege escalation attack.

This issue affects Apache Airflow 2.0.0.


*Mitigation*:

Upgrade to Airflow 2.0.1 or remove `can read on Configurations`
permission from the roles like Viewer and Users if you want to
restrict users with those roles to view configurations in 2.0.0.


*Credit*:
Apache Airflow would like to thank Ian Carroll for reporting this issue.

Thanks,
Kaxil,
on behalf of Apache Airflow PMC

_____________________________________________________________________

Hello all,

Please find below the information about a vulnerability which has been
addressed in Apache
Airflow v2.0.1:

CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental
API missed authentication
check

Description:
The lineage endpoint of the deprecated Experimental API was not
protected by authentication
in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint.

This is low-severity CVE as the attacker needs to be aware of certain
parameters to pass to
that endpoint and even after can just get some metadata about a DAG and
a Task.

This issue affects Apache Airflow 2.0.0. Upgrade to Airflow 2.0.1 to
mitigate this issue.

This does not affect users who have changed the default value for
`[webserver] secret_key`
config.

Credits:
Apache Airflow would like to thank Ian Carroll for reporting this issue.


Thanks.
Kaxil @ Airflow PMC



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================