Vulnerabilities > Apache > Airflow > 1.7.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-14 | CVE-2019-12398 | Cross-site Scripting vulnerability in Apache Airflow In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | 4.8 |
| 2019-10-30 | CVE-2019-12417 | Cross-site Scripting vulnerability in Apache Airflow A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | 4.8 |
| 2019-04-10 | CVE-2019-0229 | Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks. | 8.8 |
| 2019-04-10 | CVE-2019-0216 | Cross-site Scripting vulnerability in Apache Airflow A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | 4.8 |
| 2019-02-27 | CVE-2018-20244 | Cross-site Scripting vulnerability in Apache Airflow In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | 5.5 |
| 2019-01-23 | CVE-2018-20245 | Improper Certificate Validation vulnerability in Apache Airflow The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking. | 7.5 |
| 2019-01-23 | CVE-2017-17836 | Credentials Management vulnerability in Apache Airflow In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. | 9.8 |
| 2019-01-23 | CVE-2017-17835 | Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow. | 8.8 |
| 2019-01-23 | CVE-2017-15720 | Improper Input Validation vulnerability in Apache Airflow In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object. | 8.8 |
| 2018-08-06 | CVE-2017-12614 | Cross-site Scripting vulnerability in Apache Airflow It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. | 6.1 |