Description

Apache Airflow is an open-source workflow management platform for data engineering pipelines.

Acunetix determined that it was possible to access Airflow's airflow.cfg without authentication. Airflow is designed to be accessed by trusted clients inside trusted environments. It's not recommended to have it publicly accessible.

Remediation

Set "expose_config" to "False" in the settings file

References

Misconfigured Airflows Leak Thousands of Credentials from Popular Services

Related Vulnerabilities

Joomla! Core 1.7.x Information Disclosure (1.7.0 - 1.7.1)

WordPress Plugin BackupBuddy Information Disclosure (2.2.28)

Drupal Core 7.x Multiple Vulnerabilities (7.0 - 7.38)

WordPress Plugin IgniteUp-Coming Soon and Maintenance Mode Multiple Vulnerabilities (3.4)

WordPress Plugin Fast Velocity Minify Information Disclosure (2.7.6)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Insecure Admin Access