Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Airflow
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 73 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-02-27 | CVE-2018-20244 | In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | Airflow | 5.5 | ||
| 2019-04-10 | CVE-2019-0216 | A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | Airflow | 4.8 | ||
| 2019-04-10 | CVE-2019-0229 | A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks. | Airflow | 8.8 | ||
| 2019-10-30 | CVE-2019-12417 | A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process. | Airflow | 4.8 | ||
| 2020-01-14 | CVE-2019-12398 | In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected. | Airflow | 4.8 | ||
| 2020-09-17 | CVE-2020-13944 | In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | Airflow | 6.1 | ||
| 2020-12-11 | CVE-2020-17515 | The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. | Airflow | 6.1 | ||
| 2020-12-21 | CVE-2020-17526 | Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config. | Airflow | 7.7 | ||
| 2021-02-17 | CVE-2021-26559 | Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0. | Airflow | 6.5 | ||
| 2021-02-17 | CVE-2021-26697 | The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0. | Airflow | 5.3 |