CVE-2021-38540

CVE-2021-38540: Apache Airflow: Variable Import endpoint missed authentication check

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-269

Published September 9, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

Key dates

Disclosure timeline

September 9, 2021 CVE published

August 4, 2024 Record updated