CVE-2021-26697 - OpenCVE

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Airflow

Configuration 1 [-]

cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2021/02/17/2
https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cdev.airflow.apache.org%3E
https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-02-17T14:15:15

Updated: 2024-08-03T20:33:40.321Z

Reserved: 2021-02-04T00:00:00

Link: CVE-2021-26697

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-17T15:15:13.593

Modified: 2023-11-07T03:31:47.940

Link: CVE-2021-26697

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Airflow 2.0.0"}]}], "credits": [{"lang": "en", "value": "Apache Airflow would like to thank Ian Carroll for reporting this issue."}], "descriptions": [{"lang": "en", "value": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-17T16:06:05", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/2"}, {"name": "[airflow-dev] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cdev.airflow.apache.org%3E"}, {"name": "[airflow-users] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"}, {"name": "[announce] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9%40%3Cannounce.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-26697", "STATE": "PUBLIC", "TITLE": "Apache Airflow: Lineage API endpoint for Experimental API missed authentication check"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Airflow", "version": {"version_data": [{"version_affected": "=", "version_name": "Apache Airflow", "version_value": "2.0.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Airflow would like to thank Ian Carroll for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-269 Improper Privilege Management"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/02/17/2"}, {"name": "[airflow-dev] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E"}, {"name": "[airflow-users] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E"}, {"name": "[announce] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:33:40.321Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/2"}, {"name": "[airflow-dev] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cdev.airflow.apache.org%3E"}, {"name": "[airflow-users] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"}, {"name": "[announce] 20210217 CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9%40%3Cannounce.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-26697", "datePublished": "2021-02-17T14:15:15", "dateReserved": "2021-02-04T00:00:00", "dateUpdated": "2024-08-03T20:33:40.321Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6A12F59D-265C-4E88-A7A9-0A972A45408D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0."}, {"lang": "es", "value": "El endpoint lineage de la API Experimental obsoleta no estaba protegido por autenticaci\u00f3n en Airflow versi\u00f3n 2.0.0. Esto permiti\u00f3 a usuarios no autenticados llegar a ese endpoint. Este es un problema de baja gravedad, ya que el atacante debe estar consciente de determinados par\u00e1metros para pasar a ese endpoint e incluso despu\u00e9s puede obtener algunos metadatos sobre un DAG y una tarea. Este problema afecta a Apache Airflow versi\u00f3n 2.0.0"}], "id": "CVE-2021-26697", "lastModified": "2023-11-07T03:31:47.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-17T15:15:13.593", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/2"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cdev.airflow.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@apache.org", "type": "Secondary"}]}