Vulnerabilities > Apache > Airflow

DATE CVE VULNERABILITY TITLE RISK
2020-12-21 CVE-2020-17526 Unspecified vulnerability in Apache Airflow
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
network
low complexity
apache
7.7
2020-12-14 CVE-2020-17513 Server-Side Request Forgery (SSRF) vulnerability in Apache Airflow
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
network
low complexity
apache CWE-918
5.3
2020-12-14 CVE-2020-17511 Cleartext Storage of Sensitive Information vulnerability in Apache Airflow
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase.
network
low complexity
apache CWE-312
6.5
2020-12-11 CVE-2020-17515 Cross-site Scripting vulnerability in Apache Airflow
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
network
low complexity
apache CWE-79
6.1
2020-11-10 CVE-2020-13927 Insecure Default Initialization of Resource vulnerability in Apache Airflow
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact.
network
low complexity
apache CWE-1188
critical
9.8
2020-09-17 CVE-2020-13944 Cross-site Scripting vulnerability in Apache Airflow
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
network
low complexity
apache CWE-79
6.1
2020-07-17 CVE-2020-9485 Cross-site Scripting vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-79
6.1
2020-07-17 CVE-2020-11983 Cross-site Scripting vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-79
5.4
2020-07-17 CVE-2020-11982 Deserialization of Untrusted Data vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-502
critical
9.8
2020-07-17 CVE-2020-11981 OS Command Injection vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-78
critical
9.8