Vulnerabilities > Apache > Airflow > High

DATE CVE VULNERABILITY TITLE RISK
2024-07-17 CVE-2024-39877 Unspecified vulnerability in Apache Airflow
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model.
network
low complexity
apache
8.8
2024-03-14 CVE-2024-28746 Unspecified vulnerability in Apache Airflow 2.8.0/2.8.1/2.8.2
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.  Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
network
low complexity
apache
8.1
2024-01-24 CVE-2023-50943 Deserialization of Untrusted Data vulnerability in Apache Airflow
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization.
network
low complexity
apache CWE-502
7.5
2023-10-28 CVE-2023-46215 Unspecified vulnerability in Apache Airflow and Airflow Celery Provider
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.
network
low complexity
apache
7.5
2023-08-23 CVE-2023-37379 Unspecified vulnerability in Apache Airflow
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges.
network
low complexity
apache
8.1
2023-08-23 CVE-2023-40273 Unspecified vulnerability in Apache Airflow
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user.
network
low complexity
apache
8.0
2023-08-05 CVE-2023-39508 Unspecified vulnerability in Apache Airflow
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place.
network
low complexity
apache
8.8
2022-11-22 CVE-2022-41131 Unspecified vulnerability in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files.
local
low complexity
apache
7.8
2022-11-14 CVE-2022-27949 Unspecified vulnerability in Apache Airflow
A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed).
network
low complexity
apache
7.5
2022-11-14 CVE-2022-40127 Unspecified vulnerability in Apache Airflow
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter.
network
low complexity
apache
8.8