Please find below the information about a vulnerability which has been addressed in Apache Airflow 2.1.0.
Description: Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29621 Airflow 1.10 reached end of life and this vulnerability will not be addressed in 1.10.* series. We advise everyone to migrate to Airflow 2.1+. Credits: Dolev Farhi Thanks. Jarek @ Airflow PMC
