CVE-2021-35936

CVE-2021-35936: No Authentication on Logging Server

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-200 · Info exposure

Published August 16, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.

Key dates

02Disclosure timeline

August 16, 2021 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-35936

Related vulnerabilities

04Related CVE

CVE-2023-49283 Test code in published microsoft-graph-core package exposes phpinfo() CVE-2025-7565 LB-LINK BL-AC3600 Web Management Interface lighttpd.cgi geteasycfg information disclosure CVE-2023-30804 Sangfor Next-Gen Application Firewall Authenticated File Disclosure CVE-2020-9082 CVE-2024-8929 Leak partial content of the heap through heap buffer over-read in mysqlnd