QwikSec

Security Database

CVE

CWE

Training

CVE-2021-35936

Published: Aug 16, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.

Vendor	Product	Versions
Apache Software Foundation	Apache Airflow	affected `Apache Airflow - < 2.1.2`

Weaknesses (CWE)

References

https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.