|
|
|||
| Rule General Information |
|---|
| Release Date: | 2024-08-28 | |
| Rule Name: | Apache Airflow Experimental API Authentication Bypass Vulnerability (CVE-2020-13927) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. | |
| Impact: | An unauthorized remote attacker can bypass authentication and gain access to the application with specially crafted requests. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E |
|
| Solutions |
|---|
| Refer to the announcement or patch by the vendor: https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd |