Miggo Logo
Miggo Vulnerability Database
CVE-2021-38540

CVE-2021-38540: Missing Authentication for Critical Function in Apache Airflow

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-38540
GHSA ID
GHSA-h88f-r7cw-8fv3
EPSS Score
0.9955%
CWE
CWE-306
Published
5/24/2022
Updated
9/11/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflowpip>= 2.0.0, < 2.1.32.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch shows the vulnerability was fixed by adding @auth.has_access to the varimport method in views.py. The original code had this endpoint in class_permissions but lacked explicit authentication enforcement. The removal from class_permissions and direct addition of the auth decorator indicates this was the unprotected critical function. The added test (test_import_variables_anon) confirms authentication was missing for this endpoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** v*ri**l* import *n*point w*s not prot**t** *y *ut**nti**tion in *ir*low >=*.*.*, <*.*.*. T*is *llow** un*ut**nti**t** us*rs to *it t**t *n*point to ***/mo*i*y *ir*low v*ri**l*s us** in ***s, pot*nti*lly r*sultin* in * **ni*l o* s*rvi**, in*orm*ti

Reasoning

T** *it*u* p*t** s*ows t** vuln*r**ility w*s *ix** *y ***in* @*ut*.**s_****ss to t** v*rimport m*t*o* in vi*ws.py. T** ori*in*l *o** *** t*is *n*point in *l*ss_p*rmissions *ut l**k** *xpli*it *ut**nti**tion *n*or**m*nt. T** r*mov*l *rom *l*ss_p*rmiss