PYSEC-2021-326

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2021-326.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2021-326
Aliases
Published
2021-09-09T15:15:00Z
Modified
2023-12-06T00:46:24.008257Z
Summary
[none]
Details

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

References

Affected packages

PyPI / apache-airflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.3

Affected versions

2.*

2.0.0
2.0.1rc1
2.0.1rc2
2.0.1
2.0.2rc1
2.0.2
2.1.0rc1
2.1.0rc2
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2
2.1.3rc1