Airflow Security Vulnerabilities and Issues — Airflow CVE List

Lucene search

ApacheAirflow

8 matches found

CVE•added 2020/12/21 5:15 p.m.•98 views

CVE-2020-17526

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have change...

7.7CVSS7.4AI score0.91487EPSS

CVE•added 2023/10/28 8:15 a.m.•93 views

CVE-2023-46215

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backendNote: the vulnerability is about the information exposed in the logs not abo...

7.5CVSS7.3AI score0.00189EPSS

CVE•added 2022/11/14 10:15 a.m.•80 views

CVE-2022-27949

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.

7.5CVSS7.4AI score0.00163EPSS

CVE•added 2022/11/22 10:15 a.m.•75 views

CVE-2022-41131

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider...

7.8CVSS7.9AI score0.00174EPSS

CVE•added 2022/09/21 8:15 a.m.•67 views

CVE-2022-40604

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.

7.5CVSS7.4AI score0.00416EPSS

CVE•added 2019/01/23 5:29 p.m.•62 views

CVE-2018-20245

The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.

7.5CVSS7.4AI score0.00359EPSS

CVE•added 2024/01/24 1:15 p.m.•61 views

CVE-2023-50943

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it...

7.5CVSS7.3AI score0.0021EPSS

CVE•added 2024/11/15 9:15 a.m.•49 views

CVE-2024-45784

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially ex...

7.5CVSS7.5AI score0.01261EPSS