Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when [webserver] expose_config
is set to False
in airflow.cfg
. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.