CVE-2021-45230 : What You Need to Know
Learn about CVE-2021-45230 impacting Apache Airflow. Users with specific permissions could create unauthorized Dag Runs. Find mitigation steps & enhance system security.
Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver
Understanding CVE-2021-45230
Apache Airflow prior to version 2.2.0 allowed users with specific permissions to create Dag Runs for dags without the necessary edit permissions.
What is CVE-2021-45230?
This CVE pertains to a vulnerability in Apache Airflow that allowed users with 'can_create' permissions on DAG Runs to create Dag Runs for dags they lacked 'edit' permissions for.
The Impact of CVE-2021-45230
- Attackers could create Dag Runs, potentially leading to unauthorized execution of tasks within the system.
Technical Details of CVE-2021-45230
Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver
Vulnerability Description
- Users with 'can_create' permissions could create Dag Runs without the necessary edit permissions.
Affected Systems and Versions
- Apache Airflow 1.10 versions 1.10.0 to 1.10.15
- Apache Airflow 2 versions less than 2.2.0
Exploitation Mechanism
- Malicious users with specific permissions could exploit the vulnerability to create unauthorized Dag Runs.
Mitigation and Prevention
Steps to address the issue and enhance security
Immediate Steps to Take
- Admins should remove the global 'can_create' permissions on DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions with
rbac=TrueLong-Term Security Practices
- Regularly review and adjust permissions to ensure proper access control.
- Keep Airflow updated with the latest security patches.