CVE-2020-11982

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker Redis, RabbitMQ directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack and thus remote code...

CVE-2020-11983

An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks...

CVE-2020-17513

In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old Flask-admin based UI were vulnerable for SSRF attack...

CVE-2025-30473 Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter which was a recommended pattern, Authenticated UI User could inject arbitrary SQL command...

CVE-2023-42663

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated wit...

CVE-2023-37415

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxyuser option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. It is recommended updatin...

CVE-2024-32077

Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue...

acceldata-o2a (=1.0.0), acryl-datahub-airflow-plugin (>=0.9.5.1rc1 <=1.3.1.post1) +113 more potentially affected by CVE-2024-45498 via apache-airflow (>=2.0.0 <=2.11.2)

apache-airflow PYPI version =2.0.0, =0.9.5.1rc1, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.4.0, =0.1.0a1, =0.6.0, =0.1.1, =0.1.1, =0.10.2, =0.11.0 - airflow-ditto =0.0.1.2 and more Source cves: CVE-2024-45498 Source advisory: OSV:PYSEC-2024-266...

acceldata-o2a (=1.0.0), acryl-datahub-airflow-plugin (>=0.9.5.1rc1 <=1.3.1.post1) +113 more potentially affected by CVE-2024-42447 via apache-airflow (>=2.0.0 <=2.11.2)

apache-airflow PYPI version =2.0.0, =0.9.5.1rc1, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.4.0, =0.1.0a1, =0.6.0, =0.1.1, =0.1.1, =0.10.2, =0.11.0 - airflow-ditto =0.0.1.2 and more Source cves: CVE-2024-42447 Source advisory: OSV:PYSEC-2024-265...

PT-2024-4257 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.9.2 Description: The issue is related to the use of web browser cache containing sensitive information in Apache Airflow. Airflow did not return a "Cache-Control" header for dynamic content, which could resu...

aind-airflow-jobs (>=0.2.1 <=0.2.6), airflow-ansible-provider (=0.6.0) +15 more potentially affected by CVE-2024-31869 via apache-airflow (>=2.7.1 <=2.8.4)

apache-airflow PYPI version =2.7.1, =0.2.1, =1.1.0, =0.3.1, =0.0.4, =0.0.1a0, =1.0.0rc1, =1.0.0rc1, =1.0.0, =0.1.30, =0.0.1, =0.1.0, =1.1.0.post0.dev45, =1.1.3.post0.dev5 and more Source cves: CVE-2024-31869 Source advisory: OSV:GHSA-2522-MRJC-M688...

PT-2024-3091 · Airflow · Airflow

Name of the Vulnerable Software and Affected Versions: Airflow versions 2.7.0 through 2.8.4 Description: The issue is related to insufficient protection of internal data, allowing an authenticated user to access sensitive provider configuration via the "configuration" UI page when the...

CVE-2020-17526

creationtimestamp| type| source ---|---|--- 2024-04-06 09:56:09+00:00| published-proof-of-concept| https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apacheairflowcve202017526...

Apache Airflow 安全漏洞

Apache Airflow is the United States Apache Apache Foundation's set of open source platform for creating, managing and monitoring workflow. The platform is scalable and dynamic monitoring and other characteristics. An information disclosure vulnerability exists in Apache Airflow versions prior to...

abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +237 more potentially affected by CVE-2024-27906 via apache-airflow (>=1.10.1 <=2.8.1)

apache-airflow PYPI version =1.10.1, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.1, =0.2.9b1, =1.0.7, =0.4.0, =0.1.0a1, =0.5.1, =0.1.1, =0.6.0 and more Source cves: CVE-2024-27906 Source advisory: OSV:GHSA-6V6W-H8M6-7MV2...

PYSEC-2024-245

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk...

abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +234 more potentially affected by CVE-2023-50943 via apache-airflow (>=1.10.1 <=2.8.0)

apache-airflow PYPI version =1.10.1, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.9b1, =1.0.7, =0.4.0, =0.1.0a1, =0.5.1, =0.1.1, =0.1.1, =1.10.6 and more Source cves: CVE-2023-50943 Source advisory: OSV:PYSEC-2024-13...

PYSEC-2024-13

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enablexcompickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it...

CVE-2023-50943 Apache Airflow: Potential pickle deserialization vulnerability in XComs

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enablexcompickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it...

abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +234 more potentially affected by CVE-2023-50783 via apache-airflow (>=1.10.1 <=2.7.3)

apache-airflow PYPI version =1.10.1, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.9b1, =1.0.7, =0.4.0, =0.1.0a1, =0.5.1, =0.1.1, =0.1.1, =1.10.6 and more Source cves: CVE-2023-50783 Source advisory: OSV:PYSEC-2023-267...