Description

Apache Airflow is an open-source workflow management platform for data engineering pipelines.

Acunetix determined that it was possible to access Airflow Web interface without authentication. Airflow is designed to be accessed by trusted clients inside trusted environments. It's not recommended to have it publicly accessible.

Remediation

Restrict public access and upgrade to the latest version of Airflow

References

Misconfigured Airflows Leak Thousands of Credentials from Popular Services

Related Vulnerabilities

WordPress Plugin BackupBuddy Information Disclosure (2.2.28)

Hasura GraphQL API without authentication

Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-12167)

WordPress Plugin Font Awesome Information Disclosure (4.0.0-rc16)

Atlassian Confluence Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-8399)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Admin Access