2087 matches found
CVE-2020-11978
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending o...
Cross site scripting
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI...
Deserialization of untrusted data
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker Redis, RabbitMQ directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack and thus remote code...
Cross site scripting
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks...
PYSEC-2020-23
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI...
PYSEC-2020-16
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker Redis, RabbitMQ directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack and thus remote code...
Command injection
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending o...
PYSEC-2020-14
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending o...
PYSEC-2020-17
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks...
PYSEC-2020-15
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker Redis, RabbitMQ directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands...
Design/Logic Flaw
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker Redis, RabbitMQ directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands...
PYSEC-2020-23
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI...
PYSEC-2020-17
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks...
PYSEC-2020-15
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker Redis, RabbitMQ directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands...
PYSEC-2020-16
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker Redis, RabbitMQ directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack and thus remote code...
CVE-2020-11978
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending o...
CVE-2020-9485
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI...
CVE-2020-9485
CVE-2020-9485 is a stored XSS issue affecting Apache Airflow 1.10.10 and earlier, specifically in the Chart pages of the classic UI. The vulnerability is the result of unvalidated input being reflected in the UI, enabling an attacker to inject script via the affected chart rendering. The provided...
CVE-2020-11983
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks...
CVE-2020-11983
CVE-2020-11983 affects Apache Airflow versions 1.10.10 and earlier, where the RBAC UI admin screens mishandle escaping, enabling authenticated users with necessary permissions to perform stored XSS. The issue arises from improper input escaping in admin management screens of the new/RBAC UI, allo...