CVE-2021-45230
N/A
N/A
Summary
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow | Apache Airflow 1.10 1.10.0 to 1.10.15 | affected |
| Apache Software Foundation | Apache Airflow | Apache Airflow 2 < 2.2.0 | affected |
Weaknesses
- Permission checks were limited.
Workarounds
This is a very low severity CVE and admins can mitigate this issue by removing the global "can_create" permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set rbac=True in config.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.