Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Airflow
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 73 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-11-02 | CVE-2022-43985 | In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | Airflow | 6.1 | ||
| 2021-08-16 | CVE-2021-35936 | If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2. | Airflow | 5.3 | ||
| 2022-09-21 | CVE-2022-40604 | In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction. | Airflow | 7.5 | ||
| 2022-09-21 | CVE-2022-40754 | In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. | Airflow | 6.1 | ||
| 2022-09-02 | CVE-2022-38054 | In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | Airflow | 9.8 | ||
| 2022-01-20 | CVE-2021-45230 | In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for. | Airflow | 6.5 | ||
| 2022-02-25 | CVE-2021-45229 | It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. | Airflow | 6.1 | ||
| 2022-02-25 | CVE-2022-24288 | In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | Airflow | 8.8 | ||
| 2020-12-14 | CVE-2020-17513 | In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | Airflow | 5.3 | ||
| 2020-12-14 | CVE-2020-17511 | In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field. | Airflow | 6.5 |