Vulnerabilities > Apache > Airflow > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-11-02 CVE-2022-43982 Cross-site Scripting vulnerability in Apache Airflow
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
network
low complexity
apache CWE-79
6.1
2022-11-02 CVE-2022-43985 Unspecified vulnerability in Apache Airflow
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
network
low complexity
apache
6.1
2022-09-21 CVE-2022-40754 Open Redirect vulnerability in Apache Airflow
In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.
network
low complexity
apache CWE-601
6.1
2022-09-02 CVE-2022-38170 Incorrect Permission Assignment for Critical Resource vulnerability in Apache Airflow
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.
local
high complexity
apache CWE-732
4.7
2022-02-25 CVE-2021-45229 Cross-site Scripting vulnerability in Apache Airflow
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
network
low complexity
apache CWE-79
6.1
2022-01-20 CVE-2021-45230 Unspecified vulnerability in Apache Airflow
In Apache Airflow prior to 2.2.0.
network
low complexity
apache
6.5
2021-08-16 CVE-2021-35936 Missing Authentication for Critical Function vulnerability in Apache Airflow
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default.
network
low complexity
apache CWE-306
5.3
2021-06-07 CVE-2021-29621 Information Exposure Through Discrepancy vulnerability in multiple products
Flask-AppBuilder is a development framework, built on top of Flask.
network
low complexity
flask-appbuilder-project apache CWE-203
5.3
2021-05-02 CVE-2021-28359 Cross-site Scripting vulnerability in Apache Airflow
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
network
low complexity
apache CWE-79
6.1
2021-02-17 CVE-2021-26697 Missing Authentication for Critical Function vulnerability in Apache Airflow 2.0.0
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0.
network
low complexity
apache CWE-306
5.3