Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Airflow
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 86 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-09-09 | CVE-2021-38540 | The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3. | Airflow | 9.8 | ||
| 2022-01-20 | CVE-2021-45230 | In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for. | Airflow | 6.5 | ||
| 2022-02-25 | CVE-2021-45229 | It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. | Airflow | 6.1 | ||
| 2022-02-25 | CVE-2022-24288 | In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | Airflow | 8.8 | ||
| 2022-09-02 | CVE-2022-38054 | In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | Airflow | 9.8 | ||
| 2022-09-02 | CVE-2022-38170 | In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. | Airflow | 4.7 | ||
| 2022-10-07 | CVE-2022-41672 | In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | Airflow | 8.1 | ||
| 2023-01-21 | CVE-2023-22884 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0. | Airflow, Apache\-Airflow\-Providers\-Mysql | 9.8 | ||
| 2023-05-08 | CVE-2023-29247 | Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. | Airflow | 5.4 | ||
| 2023-06-19 | CVE-2023-35005 | In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later. | Airflow | 6.5 |