Vulnerabilities > Apache > Airflow

DATE CVE VULNERABILITY TITLE RISK
2022-09-02 CVE-2022-38170 Incorrect Permission Assignment for Critical Resource vulnerability in Apache Airflow
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.
local
high complexity
apache CWE-732
4.7
2022-02-25 CVE-2021-45229 Cross-site Scripting vulnerability in Apache Airflow
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
network
low complexity
apache CWE-79
6.1
2022-02-25 CVE-2022-24288 OS Command Injection vulnerability in Apache Airflow
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
network
low complexity
apache CWE-78
8.8
2022-01-20 CVE-2021-45230 Unspecified vulnerability in Apache Airflow
In Apache Airflow prior to 2.2.0.
network
low complexity
apache
6.5
2021-09-09 CVE-2021-38540 Missing Authentication for Critical Function vulnerability in Apache Airflow
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3.
network
low complexity
apache CWE-306
critical
9.8
2021-08-16 CVE-2021-35936 Missing Authentication for Critical Function vulnerability in Apache Airflow
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default.
network
low complexity
apache CWE-306
5.3
2021-06-07 CVE-2021-29621 Information Exposure Through Discrepancy vulnerability in multiple products
Flask-AppBuilder is a development framework, built on top of Flask.
network
low complexity
flask-appbuilder-project apache CWE-203
5.3
2021-05-02 CVE-2021-28359 Cross-site Scripting vulnerability in Apache Airflow
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
network
low complexity
apache CWE-79
6.1
2021-02-17 CVE-2021-26697 Missing Authentication for Critical Function vulnerability in Apache Airflow 2.0.0
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0.
network
low complexity
apache CWE-306
5.3
2021-02-17 CVE-2021-26559 Unspecified vulnerability in Apache Airflow 2.0.0
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`.
network
low complexity
apache
6.5