Description

Apache Airflow is an open-source workflow management platform for data engineering pipelines.

Acunetix determined that it was possible to access Airflow's airflow.cfg without authentication. Airflow is designed to be accessed by trusted clients inside trusted environments. It's not recommended to have it publicly accessible.

Remediation

Set "expose_config" to "False" in the settings file

References

Misconfigured Airflows Leak Thousands of Credentials from Popular Services

Related Vulnerabilities

WordPress Plugin FV Flowplayer Video Player Multiple Vulnerabilities (7.3.14.727)

WordPress Plugin Global Content Blocks PHP Code Execution and Information Disclosure Vulnerabilities (1.5.1)

WordPress Plugin iThemes Security (formerly Better WP Security) Information Disclosure (5.1.1)

WordPress Plugin MP3-jPlayer Information Disclosure (2.3.2)

WordPress REST API User Enumeration

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Insecure Admin Access