Vulnerabilities > Apache > Airflow > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-02-17 CVE-2021-26559 Unspecified vulnerability in Apache Airflow 2.0.0
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`.
network
low complexity
apache
6.5
2020-12-14 CVE-2020-17513 Server-Side Request Forgery (SSRF) vulnerability in Apache Airflow
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
network
low complexity
apache CWE-918
5.3
2020-12-14 CVE-2020-17511 Cleartext Storage of Sensitive Information vulnerability in Apache Airflow
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase.
network
low complexity
apache CWE-312
6.5
2020-12-11 CVE-2020-17515 Cross-site Scripting vulnerability in Apache Airflow
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
network
low complexity
apache CWE-79
6.1
2020-09-17 CVE-2020-13944 Cross-site Scripting vulnerability in Apache Airflow
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
network
low complexity
apache CWE-79
6.1
2020-07-17 CVE-2020-9485 Cross-site Scripting vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-79
6.1
2020-07-17 CVE-2020-11983 Cross-site Scripting vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-79
5.4
2020-01-14 CVE-2019-12398 Cross-site Scripting vulnerability in Apache Airflow
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
network
low complexity
apache CWE-79
4.8
2019-10-30 CVE-2019-12417 Cross-site Scripting vulnerability in Apache Airflow
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
network
low complexity
apache CWE-79
4.8
2019-04-10 CVE-2019-0216 Cross-site Scripting vulnerability in Apache Airflow
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
network
low complexity
apache CWE-79
4.8