CVE-2021-41802
Information Disclosure vulnerability in vault (Go)
What is CVE-2021-41802 About?
Airflow versions 2.7.0 through 2.8.4 contain an Information Disclosure vulnerability. An authenticated user can view sensitive provider configurations via the 'configuration' UI page, even with 'non-sensitive-only' settings. This can expose critical system details, with medium exploitation complexity.
Affected Software
- github.com/hashicorp/vault
- <1.7.5
- >1.8.0, <1.8.4
Technical Details
This vulnerability affects Apache Airflow versions 2.7.0 through 2.8.4. It allows an authenticated user to bypass the intended 'non-sensitive-only' setting for 'webserver.expose_config' and view sensitive provider configuration details through the 'configuration' UI page. Specifically, if the 'webserver.expose_config' is set to 'non-sensitive-only', the UI still displays sensitive information, particularly for the Celery provider, despite the setting's intention to restrict such exposure. This bypass occurs because the UI rendering logic or the backend fetching mechanism does not correctly filter or redact sensitive fields based on the 'expose_config' setting for certain providers. The attack vector is simply navigating to the 'configuration' UI page while authenticated.
What is the Impact of CVE-2021-41802?
Successful exploitation may allow attackers to gain access to sensitive configuration parameters, internal system details, and potentially credentials, leading to further reconnaissance and compromise of the system.
What is the Exploitability of CVE-2021-41802?
Exploitation complexity is low to medium. The primary prerequisite is that the attacker must be an authenticated user within Airflow. No specific privileges beyond typical user access are required, as the vulnerability resides in how the UI presents information, not in a privileged API endpoint. This is a remote exploitation scenario, as the UI is generally accessed remotely. Risk factors that increase exploitation likelihood include a large number of authenticated users, especially those with malicious intent, and insufficient monitoring of access to configuration pages. The workaround of setting 'expose_config' to False entirely mitigates this issue.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-41802?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.7.5 → Upgrade to 1.7.5
- github.com/hashicorp/vault
- >1.8.0, <1.8.4 → Upgrade to 1.8.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-41802
- https://security.gentoo.org/glsa/202207-01
- https://osv.dev/vulnerability/GHSA-qv95-g3gm-x542
- https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation
- https://github.com/hashicorp/vault
- https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation/
- https://github.com/advisories/GHSA-qv95-g3gm-x542
- https://security.gentoo.org/glsa/202207-01
What are Similar Vulnerabilities to CVE-2021-41802?
Similar Vulnerabilities: CVE-2023-46288 , CVE-2022-38662 , CVE-2021-38374 , CVE-2023-24618 , CVE-2022-38666
