{"schema_version": "1.6.1", "id": "CVE-2021-45230", "summary": "Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver", "details": "In Apache Airflow prior to 2.2.0.  This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for. \n\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Airflow 1.10 1.10.0 to 1.10.15"}, {"last_affected": "Apache Airflow 1.10 1.10.0 to 1.10.15"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache Airflow 2"}, {"fixed": "2.2.0"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"}]}