Improper Access Control on Configurations Endpoint in Apache Airflow 2.0.0

Improper Access Control on Configurations Endpoint in Apache Airflow 2.0.0

CVE-2021-26559 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

Learn more about our Cis Benchmark Audit For Apache Http Server.