Vulnerabilities > Apache > Airflow > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-08-21 CVE-2024-41937 Cross-site Scripting vulnerability in Apache Airflow
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link.
network
low complexity
apache CWE-79
6.1
2024-07-17 CVE-2024-39863 Cross-site Scripting vulnerability in Apache Airflow
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider.
network
low complexity
apache CWE-79
5.4
2024-01-24 CVE-2023-50944 Missing Authorization vulnerability in Apache Airflow
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it.
network
low complexity
apache CWE-862
6.5
2024-01-24 CVE-2023-51702 Cleartext Storage of Sensitive Information vulnerability in Apache Airflow and Airflow Cncf Kubernetes
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption.
network
low complexity
apache CWE-312
6.5
2023-12-21 CVE-2023-47265 Cross-site Scripting vulnerability in Apache Airflow
Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox.
network
low complexity
apache CWE-79
5.4
2023-12-21 CVE-2023-48291 Exposure of Resource to Wrong Sphere vulnerability in Apache Airflow
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2  Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.
network
low complexity
apache CWE-668
4.3
2023-12-21 CVE-2023-49920 Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected
network
low complexity
apache CWE-352
6.5
2023-12-21 CVE-2023-50783 Improper Access Control vulnerability in Apache Airflow
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue
network
low complexity
apache CWE-284
6.5
2023-11-12 CVE-2023-42781 Unspecified vulnerability in Apache Airflow
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.  This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.
network
low complexity
apache
6.5
2023-11-12 CVE-2023-47037 Incorrect Authorization vulnerability in Apache Airflow
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then.  Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes.
network
low complexity
apache CWE-863
4.3