Airflow Security Vulnerabilities and Issues — Airflow CVE List

Lucene search

ApacheAirflow

4 matches found

CVE•added 2020/12/21 5:15 p.m.•98 views

CVE-2020-17526

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have change...

7.7CVSS7.4AI score0.91487EPSS

CVE•added 2020/12/11 2:15 p.m.•81 views

CVE-2020-17515

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.

6.1CVSS5.9AI score0.12588EPSS

CVE•added 2020/12/14 10:15 a.m.•69 views

CVE-2020-17513

In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.

5.3CVSS5.5AI score0.00916EPSS

CVE•added 2020/12/14 10:15 a.m.•60 views

CVE-2020-17511

In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.

6.5CVSS6.3AI score0.00105EPSS