Airflow@2.7.0 Security Vulnerabilities and Issues — Airflow@2.7.0 CVE List

Lucene search

ApacheAirflow2.7.0

4 matches found

CVE•added 2023/10/14 10:15 a.m.•124 views

CVE-2023-45348

Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The expose_config option is False by default.It is recommended to upgrade to a v...

4.3CVSS4.2AI score0.00258EPSS

CVE•added 2024/04/18 8:15 a.m.•112 views

CVE-2024-31869

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider curren...

5.3CVSS4.2AI score0.00432EPSS

CVE•added 2023/08/23 4:15 p.m.•66 views

CVE-2023-40273

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend...

8CVSS7.7AI score0.00252EPSS

CVE•added 2023/12/21 10:15 a.m.•52 views

CVE-2023-49920

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution...

6.5CVSS6.4AI score0.00555EPSS