Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-38540— Apache Airflow: Variable Import endpoint missed authentication check

EPSS 91.78% · P100
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-38540

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache Airflow: Variable Import endpoint missed authentication check
Source: NVD (National Vulnerability Database)
Vulnerability Description
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Airflow 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Airflow是美国阿帕奇(Apache)基金会的一套用于创建、管理和监控工作流程的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow 中存在授权问题漏洞,该漏洞源于产品的import端点缺少授权保护。攻击者可通过该漏洞在DAG中添加或修改变量导致拒绝服务、信息泄露或代码执行。以下产品及版本受到影响:Apache Airflow 2.0.0 版本至 2.1.2版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache Airflow Apache Airflow ~ 2.1.3 -

II. Public POCs for CVE-2021-38540

#POC DescriptionSource LinkShenlong Link
1Missing Authentication on Critical component CVE-2021-38540https://github.com/Captain-v-hook/PoC-for-CVE-2021-38540-POC Details
2Apache Airflow Airflow >=2.0.0 and <2.1.3 does not protect the variable import endpoint which allows unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-38540.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2021-38540

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2021-09-09 · 3 CVEs total

CVE-2021-37579Bypass deserialization checks in Apache Dubbo
CVE-2021-36161Unprotected input value toString cause RCE

IV. Related Vulnerabilities

Same product: Apache Airflow
Same vendor: Apache Software Foundation
Same weakness: CWE-269

V. Comments for CVE-2021-38540

No comments yet

Leave a comment