Vulnerabilities > Apache > Airflow > High

DATE CVE VULNERABILITY TITLE RISK
2022-10-07 CVE-2022-41672 Unspecified vulnerability in Apache Airflow
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
network
low complexity
apache
8.1
2022-09-21 CVE-2022-40604 Use of Externally-Controlled Format String vulnerability in Apache Airflow
In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.
network
low complexity
apache CWE-134
7.5
2022-02-25 CVE-2022-24288 OS Command Injection vulnerability in Apache Airflow
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
network
low complexity
apache CWE-78
8.8
2020-12-21 CVE-2020-17526 Unspecified vulnerability in Apache Airflow
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
network
low complexity
apache
7.7
2020-07-17 CVE-2020-11978 OS Command Injection vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-78
8.8
2019-04-10 CVE-2019-0229 Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.
network
low complexity
apache CWE-352
8.8
2019-01-23 CVE-2018-20245 Improper Certificate Validation vulnerability in Apache Airflow
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.
network
low complexity
apache CWE-295
7.5
2019-01-23 CVE-2017-17835 Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow
In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.
network
low complexity
apache CWE-352
8.8
2019-01-23 CVE-2017-15720 Improper Input Validation vulnerability in Apache Airflow
In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.
network
low complexity
apache CWE-20
8.8