CVE-2020-13927

CRITICAL Year: 2020
CVSS v3 Score
9.8
Critical
CVSS v2 Score
7.5
High
Weakness Type
CWE-306
View all →

Vulnerability Description

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

Related Vulnerabilities

CVE-2006-0061

CRITICAL
CVSS:9.8(Critical)

xlockmore 5.13 and 5.22 segfaults when using libpam-opensc and returns the underlying xsession. This allows unauthorized users access to the X session.

CWE-3062006

CVE-2006-0062

CRITICAL
CVSS:9.8(Critical)

xlockmore 5.13 allows potential xlock bypass when FVWM switches to the same virtual desktop as a new Gaim window.

CWE-3062006

CVE-2014-3449

CRITICAL
CVSS:9.8(Critical)

BSS Continuity CMS 4.2.22640.0 has an Authentication Bypass vulnerability

CWE-3062014

CVE-2015-2888

CRITICAL
CVSS:9.8(Critical)

Summer Baby Zoom Wifi Monitor & Internet Viewing System allows remote attackers to bypass authentication, related to the MySnapCam web service.

CWE-3062015

CVE-2016-2004

CRITICAL
CVSS:9.8(Critical)

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerab...

CWE-3062016

CVE-2016-5053

CRITICAL
CVSS:9.8(Critical)

OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 allows remote attackers to execute arbitrary commands via TCP port 4000.

CWE-3062016