Vulnerabilities > Apache > Airflow > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-05-08 CVE-2023-25754 Unspecified vulnerability in Apache Airflow
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.
network
low complexity
apache
critical
9.8
2023-01-21 CVE-2023-22884 Unspecified vulnerability in Apache Airflow
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.
network
low complexity
apache
critical
9.8
2022-11-22 CVE-2022-40189 Unspecified vulnerability in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files.
network
low complexity
apache
critical
9.8
2022-11-22 CVE-2022-38649 Unspecified vulnerability in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files.
network
low complexity
apache
critical
9.8
2022-09-02 CVE-2022-38054 Session Fixation vulnerability in Apache Airflow
In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.
network
low complexity
apache CWE-384
critical
9.8
2021-09-09 CVE-2021-38540 Missing Authentication for Critical Function vulnerability in Apache Airflow
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3.
network
low complexity
apache CWE-306
critical
9.8
2020-11-10 CVE-2020-13927 Insecure Default Initialization of Resource vulnerability in Apache Airflow
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact.
network
low complexity
apache CWE-1188
critical
9.8
2020-07-17 CVE-2020-11981 OS Command Injection vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-78
critical
9.8
2020-07-17 CVE-2020-11982 Deserialization of Untrusted Data vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-502
critical
9.8
2019-01-23 CVE-2017-17836 Credentials Management vulnerability in Apache Airflow
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow.
network
low complexity
apache CWE-255
critical
9.8