CVE-2021-45230 - OpenCVE

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Airflow

Configuration 1 [-]

OR	cpe:2.3:a:apache:airflow::::::::
	cpe:2.3:a:apache:airflow::::::::

No data.

References

Link	Providers
https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-20T10:25:10

Updated: 2024-08-04T04:39:20.469Z

Reserved: 2021-12-17T00:00:00

Link: CVE-2021-45230

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-20T11:15:07.993

Modified: 2022-07-12T17:42:04.277

Link: CVE-2021-45230

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Airflow 1.10 1.10.0 to 1.10.15"}, {"lessThan": "2.2.0", "status": "affected", "version": "Apache Airflow 2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Airflow PMC would like to thank Franco Cano Erazo for reporting this issue."}], "descriptions": [{"lang": "en", "value": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for."}], "problemTypes": [{"descriptions": [{"description": "Permission checks were limited.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-20T10:25:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver", "workarounds": [{"lang": "en", "value": "This is a very low severity CVE and admins can mitigate this issue by removing the global \"can_create\" permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set `rbac=True` in config."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-45230", "STATE": "PUBLIC", "TITLE": "Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Airflow", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Airflow 2", "version_value": "2.2.0"}, {"version_name": "Apache Airflow 1.10", "version_value": "1.10.0 to 1.10.15"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Airflow PMC would like to thank Franco Cano Erazo for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Permission checks were limited."}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl", "refsource": "MISC", "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "This is a very low severity CVE and admins can mitigate this issue by removing the global \"can_create\" permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set `rbac=True` in config."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.469Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-45230", "datePublished": "2022-01-20T10:25:10", "dateReserved": "2021-12-17T00:00:00", "dateUpdated": "2024-08-04T04:39:20.469Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CE396B0-4860-42E9-9686-C67896C8FDA9", "versionEndIncluding": "1.10.15", "versionStartIncluding": "1.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "4528409E-F035-48EC-BD62-EF07FA29E2F4", "versionEndExcluding": "2.2.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for."}, {"lang": "es", "value": "En Apache Airflow versiones anteriores a 2.2.0. Esta CVE es aplicada a un caso espec\u00edfico en el que un usuario que presenta permisos \"can_create\" en las ejecuciones DAG puede crear ejecuciones Dag para dags para los que no presenta permisos \"edit\""}], "id": "CVE-2021-45230", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-20T11:15:07.993", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}