Description

Apache Airflow is an open-source workflow management platform for data engineering pipelines.

Acunetix determined that it was possible to access Airflow Experimental API without authentication(CVE-2020-13927). Airflow is designed to be accessed by trusted clients inside trusted environments. It's not recommended to have it publicly accessible.

Remediation

Upgrade to the latest version of Airflow

References

CVE-2020-13927

Related Vulnerabilities

Hostile subdomain takeover

WordPress admin accessible without HTTP authentication

WordPress Plugin FV Flowplayer Video Player Multiple Vulnerabilities (7.3.14.727)

CouchDB REST API publicly accessible

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-1161)

Severity

High

Classification

CVE-2020-13927 CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Configuration