Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Airflow
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 87 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-03-26 | CVE-2024-29735 | Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix groupĀ of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in... | Airflow | N/A | ||
| 2024-02-29 | CVE-2024-27906 | Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability | Airflow | N/A | ||
| 2022-11-02 | CVE-2022-43982 | In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | Airflow | 6.1 | ||
| 2022-11-02 | CVE-2022-43985 | In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | Airflow | 6.1 | ||
| 2022-11-14 | CVE-2022-27949 | A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1. | Airflow | 7.5 | ||
| 2022-11-14 | CVE-2022-40127 | A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. | Airflow | 8.8 | ||
| 2022-11-15 | CVE-2022-45402 | In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. | Airflow | 6.1 | ||
| 2022-11-22 | CVE-2022-38649 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can... | Airflow, Apache\-Airflow\-Providers\-Apache\-Pinot | 9.8 | ||
| 2022-11-22 | CVE-2022-40189 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you... | Airflow, Apache\-Airflow\-Providers\-Apache\-Pig | 9.8 | ||
| 2022-11-22 | CVE-2022-40954 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you... | Airflow, Apache\-Airflow\-Providers\-Apache\-Spark | 5.5 |