CVE-2021-26559 - OpenCVE

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Airflow

Configuration 1 [-]

cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2021/02/17/1
https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-02-17T14:15:14

Updated: 2024-08-03T20:26:25.506Z

Reserved: 2021-02-02T00:00:00

Link: CVE-2021-26559

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-17T15:15:13.500

Modified: 2023-11-07T03:31:45.800

Link: CVE-2021-26559

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Airflow 2.0.0"}]}], "credits": [{"lang": "en", "value": "Apache Airflow would like to thank Ian Carroll for reporting this issue."}], "descriptions": [{"lang": "en", "value": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control on Configurations Endpoint for the Stable API", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-17T16:06:03", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210217 CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/1"}, {"name": "[announce] 20210217 CVE-2021-26559: Apache Airflow: CWE-284 Privilege Escalation Attack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "CWE-284 Improper Access Control on Configurations Endpoint for the Stable API", "workarounds": [{"lang": "en", "value": "Upgrade to Airflow 2.0.1 or remove `can read on Configurations` permission from the roles like Viewer and Users if you want to restrict users with those roles to view configurations in 2.0.0."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-26559", "STATE": "PUBLIC", "TITLE": "CWE-284 Improper Access Control on Configurations Endpoint for the Stable API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Airflow", "version": {"version_data": [{"version_affected": "=", "version_name": "Apache Airflow", "version_value": "2.0.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Airflow would like to thank Ian Carroll for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control on Configurations Endpoint for the Stable API"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210217 CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/02/17/1"}, {"name": "[announce] 20210217 CVE-2021-26559: Apache Airflow: CWE-284 Privilege Escalation Attack", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Upgrade to Airflow 2.0.1 or remove `can read on Configurations` permission from the roles like Viewer and Users if you want to restrict users with those roles to view configurations in 2.0.0."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:26:25.506Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210217 CVE-2021-26559: Apache Airflow 2.0.0: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/1"}, {"name": "[announce] 20210217 CVE-2021-26559: Apache Airflow: CWE-284 Privilege Escalation Attack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-26559", "datePublished": "2021-02-17T14:15:14", "dateReserved": "2021-02-02T00:00:00", "dateUpdated": "2024-08-03T20:26:25.506Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6A12F59D-265C-4E88-A7A9-0A972A45408D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0."}, {"lang": "es", "value": "Un Control de Acceso Inapropiado en el Endpoint Configurations para la API Stable de Apache Airflow permite a usuarios con rol de Visualizadores o Usuario obtener Configuraciones de Airflow, incluyendo informaci\u00f3n confidencial, incluso cuando \"[webserver] expose_config\" est\u00e1 configurado como \"False\" en \"airflow.cfg\". Esto permiti\u00f3 un ataque de escalada de privilegios. Este problema afecta a Apache Airflow versi\u00f3n 2.0.0"}], "id": "CVE-2021-26559", "lastModified": "2023-11-07T03:31:45.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-17T15:15:13.500", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@apache.org", "type": "Secondary"}]}