Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-4181

[security] ui - Server Information Disclosure

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Trivial
    • Resolution: Won't Do
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security, ui
    • Labels:
      None

      Description

      The Airflow application reveals server information through HTTP response headers. The following information is provided:
      Server: gunicorn/19.9.0. The application also allows access to a default monitoring page /health which provides a small amount of information about the server status.

      Business Impact/Attack Scenario
      Information regarding the web server, version information, frameworks, development methodology or anything related to the infrastructure of an application may be collected by an attacker. Information gathered may then be used to perform targeted research, vulnerability or exploit development against known components or social engineering style attacks against application owners. Information gathered also increases the likelihood of compromise in the event publicly disclosed vulnerabilities are released.

      Recommendation
      Remove the information from application’s HTTP headers in response. Modify gunicorn's conf.py and change the following parameter: gunicorn.SERVER_SOFTWARE = '<change_server_info_here>'.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              toopt4 t oo
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: