CVE-2021-45230 - Vulnerability Details - OpenCVE

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01839.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Airflow

Configuration 1 [-]

OR	cpe:2.3:a:apache:airflow::::::::
	cpe:2.3:a:apache:airflow::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-0007	In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for.
Github GHSA	GHSA-4jh2-3c85-q67h	Improper Privilege Management in apache-airflow

Fixes

Solution

No solution given by the vendor.

Workaround

This is a very low severity CVE and admins can mitigate this issue by removing the global "can_create" permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set `rbac=True` in config.

References

Link	Providers
https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-20T10:25:10

Updated: 2024-08-04T04:39:20.469Z

Reserved: 2021-12-17T00:00:00

Link: CVE-2021-45230

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-20T11:15:07.993

Modified: 2024-11-21T06:32:01.053

Link: CVE-2021-45230

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Airflow 1.10 1.10.0 to 1.10.15"}, {"lessThan": "2.2.0", "status": "affected", "version": "Apache Airflow 2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Airflow PMC would like to thank Franco Cano Erazo for reporting this issue."}], "descriptions": [{"lang": "en", "value": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for."}], "problemTypes": [{"descriptions": [{"description": "Permission checks were limited.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-20T10:25:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver", "workarounds": [{"lang": "en", "value": "This is a very low severity CVE and admins can mitigate this issue by removing the global \"can_create\" permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set `rbac=True` in config."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-45230", "STATE": "PUBLIC", "TITLE": "Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Airflow", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Airflow 2", "version_value": "2.2.0"}, {"version_name": "Apache Airflow 1.10", "version_value": "1.10.0 to 1.10.15"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Airflow PMC would like to thank Franco Cano Erazo for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Permission checks were limited."}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl", "refsource": "MISC", "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "This is a very low severity CVE and admins can mitigate this issue by removing the global \"can_create\" permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set `rbac=True` in config."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.469Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-45230", "datePublished": "2022-01-20T10:25:10", "dateReserved": "2021-12-17T00:00:00", "dateUpdated": "2024-08-04T04:39:20.469Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CE396B0-4860-42E9-9686-C67896C8FDA9", "versionEndIncluding": "1.10.15", "versionStartIncluding": "1.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "4528409E-F035-48EC-BD62-EF07FA29E2F4", "versionEndExcluding": "2.2.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for."}, {"lang": "es", "value": "En Apache Airflow versiones anteriores a 2.2.0. Esta CVE es aplicada a un caso espec\u00edfico en el que un usuario que presenta permisos \"can_create\" en las ejecuciones DAG puede crear ejecuciones Dag para dags para los que no presenta permisos \"edit\""}], "id": "CVE-2021-45230", "lastModified": "2024-11-21T06:32:01.053", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-20T11:15:07.993", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}