CVE-2021-35936

Summary

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache AirflowApache Airflow < 2.1.2affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Workarounds

Use remote logging with GCS, S3, Elasticsearch etc. This is recommended for production environments.

And do not publicly expose any other ports apart from Webserver port, Flower port etc.

ADP Enrichment

CVE Program Container

Additional References

References