Vulnerabilities > Apache > Airflow > 1.4.0
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-11-15 | CVE-2022-45402 | Open Redirect vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. | 6.1 |
2022-11-14 | CVE-2022-27949 | Information Exposure vulnerability in Apache Airflow A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). | 7.5 |
2022-11-14 | CVE-2022-40127 | Code Injection vulnerability in Apache Airflow A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. | 8.8 |
2022-11-02 | CVE-2022-43982 | Cross-site Scripting vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | 6.1 |
2022-11-02 | CVE-2022-43985 | Open Redirect vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | 6.1 |
2022-10-07 | CVE-2022-41672 | Insufficient Session Expiration vulnerability in Apache Airflow In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | 8.1 |
2022-09-02 | CVE-2022-38170 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Airflow In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. | 4.7 |
2022-02-25 | CVE-2021-45229 | Cross-site Scripting vulnerability in Apache Airflow It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | 4.3 |
2022-02-25 | CVE-2022-24288 | OS Command Injection vulnerability in Apache Airflow In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | 6.5 |
2021-08-16 | CVE-2021-35936 | Missing Authentication for Critical Function vulnerability in Apache Airflow If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. | 5.3 |