Vulnerabilities > Apache > Airflow
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-09-02 | CVE-2022-38170 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Airflow In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. | 4.7 |
2022-02-25 | CVE-2021-45229 | Cross-site Scripting vulnerability in Apache Airflow It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | 6.1 |
2022-02-25 | CVE-2022-24288 | OS Command Injection vulnerability in Apache Airflow In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | 8.8 |
2022-01-20 | CVE-2021-45230 | Unspecified vulnerability in Apache Airflow In Apache Airflow prior to 2.2.0. | 6.5 |
2021-09-09 | CVE-2021-38540 | Missing Authentication for Critical Function vulnerability in Apache Airflow The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. | 9.8 |
2021-08-16 | CVE-2021-35936 | Missing Authentication for Critical Function vulnerability in Apache Airflow If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. | 5.3 |
2021-06-07 | CVE-2021-29621 | Information Exposure Through Discrepancy vulnerability in multiple products Flask-AppBuilder is a development framework, built on top of Flask. | 5.3 |
2021-05-02 | CVE-2021-28359 | Cross-site Scripting vulnerability in Apache Airflow The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | 6.1 |
2021-02-17 | CVE-2021-26697 | Missing Authentication for Critical Function vulnerability in Apache Airflow 2.0.0 The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. | 5.3 |
2021-02-17 | CVE-2021-26559 | Unspecified vulnerability in Apache Airflow 2.0.0 Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. | 6.5 |