Vulnerabilities > Apache > Airflow > 2.8.4
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-21 | CVE-2024-41937 | Unspecified vulnerability in Apache Airflow Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. | 6.1 |
| 2024-07-17 | CVE-2024-39863 | Cross-site Scripting vulnerability in Apache Airflow Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. | 5.4 |
| 2024-07-17 | CVE-2024-39877 | Unspecified vulnerability in Apache Airflow Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. | 8.8 |
| 2024-06-14 | CVE-2024-25142 | Unspecified vulnerability in Apache Airflow Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue. | 5.5 |
| 2024-04-18 | CVE-2024-31869 | Unspecified vulnerability in Apache Airflow Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). | 4.3 |