{"schema_version": "1.6.1", "id": "CVE-2021-38540", "summary": "Apache Airflow: Variable Import endpoint missed authentication check", "details": "The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially\nresulting in a denial of service, information disclosure or remote code execution.\n\nThis issue affects Apache Airflow >=2.0.0, <2.1.3.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Airflow "}, {"fixed": "2.1.3"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E"}]}