apache-airflow-core 3.0.5rc1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the apache-airflow-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection Affected versions of this package are vulnerable to Command Injection via the `example_dag_decorator` function. An attacker can execute arbitrary commands on the worker by supplying a crafted parameter through the UI. Note: This is only exploitable if example DAGs are enabled in production or if the example DAG code is copied to create a similar DAG. How to fix Command Injection? Upgrade `apache-airflow-core` to version 3.0.5 or higher.	[3.0.0,3.0.5)
M Execution with Unnecessary Privileges Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the `bulk create API` with the overwrite action. An attacker can modify existing records by submitting crafted requests with only `CREATE` privileges. How to fix Execution with Unnecessary Privileges? Upgrade `apache-airflow-core` to version 3.1.1 or higher.	[3.0.0,3.1.1)
M Execution with Unnecessary Privileges Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the `/api/v2/dagReports` endpoint. An attacker can execute arbitrary code in the context of the API server by submitting malicious DAG code through the API. Note: This is only exploitable if the API server is deployed in an environment where DAG files are accessible to the server. How to fix Execution with Unnecessary Privileges? Upgrade `apache-airflow-core` to version 3.1.1 or higher.	[3.0.0,3.1.1)

Vulnerability

Vulnerable Version

Command Injection

Affected versions of this package are vulnerable to Command Injection via the example_dag_decorator function. An attacker can execute arbitrary commands on the worker by supplying a crafted parameter through the UI.

Note:

This is only exploitable if example DAGs are enabled in production or if the example DAG code is copied to create a similar DAG.

How to fix Command Injection?

Upgrade apache-airflow-core to version 3.0.5 or higher.

[3.0.0,3.0.5)

Execution with Unnecessary Privileges

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the bulk create API with the overwrite action. An attacker can modify existing records by submitting crafted requests with only CREATE privileges.

How to fix Execution with Unnecessary Privileges?

Upgrade apache-airflow-core to version 3.1.1 or higher.

[3.0.0,3.1.1)

Execution with Unnecessary Privileges

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the /api/v2/dagReports endpoint. An attacker can execute arbitrary code in the context of the API server by submitting malicious DAG code through the API.

Note:

This is only exploitable if the API server is deployed in an environment where DAG files are accessible to the server.

How to fix Execution with Unnecessary Privileges?

Upgrade apache-airflow-core to version 3.1.1 or higher.

[3.0.0,3.1.1)

apache-airflow-core@3.0.5rc1 vulnerabilities

Core packages for Apache Airflow, schedule and API server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically