Airflow Security Vulnerabilities and Issues — Airflow CVE List

Lucene search

ApacheAirflow

4 matches found

CVE•added 2023/12/21 10:15 a.m.•51 views

CVE-2023-49920

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution...

6.5CVSS6.4AI score0.0017EPSS

CVE•added 2023/12/21 10:15 a.m.•49 views

CVE-2023-48291

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to cle...

4.3CVSS5.2AI score0.00409EPSS

CVE•added 2023/12/21 10:15 a.m.•46 views

CVE-2023-47265

Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the br...

5.4CVSS5.3AI score0.00187EPSS

CVE•added 2023/12/21 10:15 a.m.•41 views

CVE-2023-50783

Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.Users are recommended ...

6.5CVSS6.2AI score0.00031EPSS