CVE: CVE-2020-13927

Export to Word

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.94241
Percentile: 0.99921

CVSS Scoring

CVSS v3.1 Score: 9.8

Severity: CRITICAL

KEV is present

Mapped CWE(s)

CWE-1056 : Invokable Control Element with Variadic Parameters
CWE-1188 : Initialization of a Resource with an Insecure Default
CWE-306 : Missing Authentication for Critical Function

All CAPEC(s)

CAPEC-12: Choosing Message Identifier
CAPEC-166: Force the System to Reset Values
CAPEC-216: Communication Channel Manipulation
CAPEC-36: Using Unpublished Interfaces or Functionality
CAPEC-62: Cross Site Request Forgery
CAPEC-665: Exploitation of Thunderbolt Protection Flaws

CAPEC(s) with Mapped TTPs

CAPEC-665: Exploitation of Thunderbolt Protection Flaws
Mapped TTPs:
- T1211 : Exploitation for Defense Evasion
- T1542.002 : Component Firmware
- T1556 : Modify Authentication Process

Mapped ATT&CK TTPs

T1211 : Exploitation for Defense Evasion
Kill Chain: defense-evasion
T1542.002 : Component Firmware
Kill Chain: persistence
T1556 : Modify Authentication Process
Kill Chain: credential-access

Malware

APTs Threat Group Associations

Campaigns

ArcaneDoor

Affected Products

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

← Back to Home