CVE-2021-45230

Summary

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache AirflowApache Airflow 1.10 1.10.0 to 1.10.15affected
Apache Software FoundationApache AirflowApache Airflow 2 < 2.2.0affected

Weaknesses

  • Permission checks were limited.

Workarounds

This is a very low severity CVE and admins can mitigate this issue by removing the global "can_create" permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set rbac=True in config.

ADP Enrichment

CVE Program Container

Additional References

References