Published: 09/09/2021 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache airflow

Check Point Reference: CPAI-2021-2135 Date Published: 10 Mar 2024 Severity: Critical ...

oss-sec mailing list archives   By Date By Thread </form>    CVE-2021-38540: Apache Airflow: Variable Import endpoint missed authentication check  <!--X-Head-of ...

Missing Authentication on Critical component CVE-2021-38540

CVE-2021-38540 Proof of Concept Missing Authentication on Critical component Known as CVE-2021-38540 About this bug: The variable import endpoint was not protected by authentication in Airflow >=200, <213 This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, informat

CWE-306 https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2%40%3Cannounce.apache.org%3E https://nvd.nist.gov https://github.com/Captain-v-hook/PoC-for-CVE-2021-38540-http://seclists.org/oss-sec/2021/q3/160 https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2021-2135.html

CVE-2021-38540

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect