CVE-2021-35936: Missing Authorization in Apache Airflow
(updated )
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.
References
- github.com/advisories/GHSA-m6h2-jx9v-58w6
- github.com/apache/airflow
- github.com/apache/airflow/commit/27265516d2b897585f5019ecd820cfe5471fd351
- github.com/apache/airflow/commit/7a5bb88ad78d600fbb1676a55752597928115bd8
- github.com/apache/airflow/commit/d772f38f843b9add5319a01cf51a844145b01f63
- github.com/apache/airflow/compare/2.1.1...2.1.2
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-122.yaml
- lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2021-35936
Detect and mitigate CVE-2021-35936 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →