Vulnerabilities > Apache > Airflow > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-08 | CVE-2023-25754 | Unspecified vulnerability in Apache Airflow Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. | 9.8 |
| 2023-01-21 | CVE-2023-22884 | Command Injection vulnerability in Apache Airflow Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0. | 9.8 |
| 2022-11-22 | CVE-2022-40189 | OS Command Injection vulnerability in Apache Airflow Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. | 9.8 |
| 2022-11-22 | CVE-2022-38649 | OS Command Injection vulnerability in Apache Airflow Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. | 9.8 |
| 2022-09-02 | CVE-2022-38054 | Session Fixation vulnerability in Apache Airflow In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | 9.8 |
| 2021-09-09 | CVE-2021-38540 | Missing Authentication for Critical Function vulnerability in Apache Airflow The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. | 9.8 |
| 2020-11-10 | CVE-2020-13927 | Insecure Default Initialization of Resource vulnerability in Apache Airflow The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. | 9.8 |
| 2020-07-17 | CVE-2020-11981 | OS Command Injection vulnerability in Apache Airflow An issue was found in Apache Airflow versions 1.10.10 and below. | 9.8 |
| 2020-07-17 | CVE-2020-11982 | Deserialization of Untrusted Data vulnerability in Apache Airflow An issue was found in Apache Airflow versions 1.10.10 and below. | 9.8 |
| 2019-01-23 | CVE-2017-17836 | Credentials Management vulnerability in Apache Airflow In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. | 9.8 |