Airflow Security Vulnerabilities and Issues — Airflow CVE List

Lucene search

ApacheAirflow

10 matches found

CVE•added 2020/11/10 4:15 p.m.•1028 views

CVE-2020-13927

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache....

9.8CVSS9.2AI score0.94241EPSS

CVE•added 2020/07/17 12:15 a.m.•105 views

CVE-2020-11981

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

9.8CVSS9.3AI score0.90743EPSS

CVE•added 2021/09/09 3:15 p.m.•88 views

CVE-2021-38540

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, =2.0.0,

9.8CVSS9.8AI score0.90036EPSS

CVE•added 2022/09/02 7:15 a.m.•87 views

CVE-2022-38054

In Apache Airflow versions 2.2.4 through 2.3.3, the database webserver session backend was susceptible to session fixation.

9.8CVSS9.4AI score0.00619EPSS

CVE•added 2023/01/21 2:15 p.m.•85 views

CVE-2023-22884

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

9.8CVSS9.5AI score0.6394EPSS

CVE•added 2022/11/22 10:15 a.m.•82 views

CVE-2022-40189

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider v...

9.8CVSS9.7AI score0.01624EPSS

CVE•added 2022/11/22 10:15 a.m.•81 views

CVE-2022-38649

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airfl...

9.8CVSS9.7AI score0.01757EPSS

CVE•added 2020/07/17 12:15 a.m.•80 views

CVE-2020-11982

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code exec...

9.8CVSS9.4AI score0.05664EPSS

CVE•added 2023/05/08 12:15 p.m.•68 views

CVE-2023-25754

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.

9.8CVSS9.4AI score0.00296EPSS

CVE•added 2019/01/23 5:29 p.m.•65 views

CVE-2017-17836

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the syst...

9.8CVSS9AI score0.00578EPSS