apache-airflow-core 3.0.4rc2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the apache-airflow-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection Affected versions of this package are vulnerable to Command Injection via the `example_dag_decorator` function. An attacker can execute arbitrary commands on the worker by supplying a crafted parameter through the UI. Note: This is only exploitable if example DAGs are enabled in production or if the example DAG code is copied to create a similar DAG. How to fix Command Injection? Upgrade `apache-airflow-core` to version 3.0.5 or higher.	[3.0.0,3.0.5)
M Execution with Unnecessary Privileges Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the `bulk create API` with the overwrite action. An attacker can modify existing records by submitting crafted requests with only `CREATE` privileges. How to fix Execution with Unnecessary Privileges? Upgrade `apache-airflow-core` to version 3.1.1 or higher.	[3.0.0,3.1.1)
M Execution with Unnecessary Privileges Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the `/api/v2/dagReports` endpoint. An attacker can execute arbitrary code in the context of the API server by submitting malicious DAG code through the API. Note: This is only exploitable if the API server is deployed in an environment where DAG files are accessible to the server. How to fix Execution with Unnecessary Privileges? Upgrade `apache-airflow-core` to version 3.1.1 or higher.	[3.0.0,3.1.1)
H Information Exposure Affected versions of this package are vulnerable to Information Exposure via the `Connection` module. An attacker can access sensitive connection details by using READ permissions through both the API and the UI due to the regression that allows to bypass the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option. Note: This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior. How to fix Information Exposure? Upgrade `apache-airflow-core` to version 3.0.4 or higher.	[3.0.3,3.0.4)

Vulnerability

Vulnerable Version

Command Injection

Affected versions of this package are vulnerable to Command Injection via the example_dag_decorator function. An attacker can execute arbitrary commands on the worker by supplying a crafted parameter through the UI.

Note:

This is only exploitable if example DAGs are enabled in production or if the example DAG code is copied to create a similar DAG.

How to fix Command Injection?

Upgrade apache-airflow-core to version 3.0.5 or higher.

[3.0.0,3.0.5)

Execution with Unnecessary Privileges

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the bulk create API with the overwrite action. An attacker can modify existing records by submitting crafted requests with only CREATE privileges.

How to fix Execution with Unnecessary Privileges?

Upgrade apache-airflow-core to version 3.1.1 or higher.

[3.0.0,3.1.1)

Execution with Unnecessary Privileges

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the /api/v2/dagReports endpoint. An attacker can execute arbitrary code in the context of the API server by submitting malicious DAG code through the API.

Note:

This is only exploitable if the API server is deployed in an environment where DAG files are accessible to the server.

How to fix Execution with Unnecessary Privileges?

Upgrade apache-airflow-core to version 3.1.1 or higher.

[3.0.0,3.1.1)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure via the Connection module. An attacker can access sensitive connection details by using READ permissions through both the API and the UI due to the regression that allows to bypass the AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS configuration option.

Note:

This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.

How to fix Information Exposure?

Upgrade apache-airflow-core to version 3.0.4 or higher.

[3.0.3,3.0.4)

apache-airflow-core@3.0.4rc2 vulnerabilities

Core packages for Apache Airflow, schedule and API server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically