apache-airflow-task-sdk 1.0.3

Direct Vulnerabilities

Known vulnerabilities in the apache-airflow-task-sdk package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Insertion of Sensitive Information Into Sent Data apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the `/api/v2/connections/{connection_id}` REST API endpoint. An attacker can access sensitive credential information stored in the `extra` JSON blob by making authenticated requests with Connection-read permissions, even for fields not intended to be exposed, potentially leading to unauthorized disclosure of secrets. Notes: This is only exploitable if credentials are stored in the `extra` field and Connection-read access is granted to multiple users. The vulnerable code is not distributed as a traditional dependency and is instead provided as vendored code (see docs) How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `apache-airflow-task-sdk` to version 1.2.2rc1 or higher.	[,1.2.2rc1)
H Insertion of Sensitive Information Into Sent Data apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the handling of rendered template fields when the length exceeds the configured maximum, causing nested sensitive keys within JSON structures to be stringified before redaction and resulting in plaintext secret values being persisted in `rendered_fields`. An attacker can obtain confidential information by accessing rendered template fields through the UI or API with appropriate permissions. Note: This is only exploitable if structured JSON containing nested sensitive keys is passed to operators and the attacker has authenticated access with permission to read rendered template fields. How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `apache-airflow-task-sdk` to version 1.2.2rc1 or higher.	[,1.2.2rc1)
H Insertion of Sensitive Information into Log File apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File which had `mask_secret()` applied. The DAG run logs UI exposes variable values from the configuration file in plain text, although they are masked from the subprocess. A Deployment Manager or user who has been granted access to the log UI by a Deployment Manager can obtain confidential data. Note: The documented security model and workflow isolation guide recommend restricting read access to appropriately privileged users for secure workflows. How to fix Insertion of Sensitive Information into Log File? Upgrade `apache-airflow-task-sdk` to version 1.1.4rc1 or higher.	[,1.1.4rc1)
H Information Exposure apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Information Exposure in the error messages in the UI when a DAG fails during parsing. A user can obtain sensitive information from `kwargs` passed to operators, by viewing UI tracebacks. Note: This is only exploitable if authenticated users have permission to view the affected DAG in the UI. How to fix Information Exposure? Upgrade `apache-airflow-task-sdk` to version 1.1.4rc1 or higher.	[,1.1.4rc1)
M Insertion of Sensitive Information into Log File apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the `proxies` and `proxy` fields in a `Connection`. An attacker can obtain sensitive proxy credentials if they are embedded in proxy URLs. How to fix Insertion of Sensitive Information into Log File? Upgrade `apache-airflow-task-sdk` to version 1.1.6rc1 or higher.	[,1.1.6rc1)
M Improper Removal of Sensitive Information Before Storage or Transfer apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the serialization for rendered template fields when the length exceeds the configured maximum. An attacker can access sensitive information by viewing unmasked secrets displayed in the Rendered Templates UI. How to fix Improper Removal of Sensitive Information Before Storage or Transfer? Upgrade `apache-airflow-task-sdk` to version 1.1.6rc1 or higher.	[,1.1.6rc1)
H Insertion of Sensitive Information Into Sent Data	[1.0.0a2,1.1.4rc1)

Vulnerability

Vulnerable Version

Insertion of Sensitive Information Into Sent Data

apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the /api/v2/connections/{connection_id} REST API endpoint. An attacker can access sensitive credential information stored in the extra JSON blob by making authenticated requests with Connection-read permissions, even for fields not intended to be exposed, potentially leading to unauthorized disclosure of secrets.

Notes:

This is only exploitable if credentials are stored in the extra field and Connection-read access is granted to multiple users.
The vulnerable code is not distributed as a traditional dependency and is instead provided as vendored code (see docs)

How to fix Insertion of Sensitive Information Into Sent Data?

Upgrade apache-airflow-task-sdk to version 1.2.2rc1 or higher.

[,1.2.2rc1)

Insertion of Sensitive Information Into Sent Data

apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the handling of rendered template fields when the length exceeds the configured maximum, causing nested sensitive keys within JSON structures to be stringified before redaction and resulting in plaintext secret values being persisted in rendered_fields. An attacker can obtain confidential information by accessing rendered template fields through the UI or API with appropriate permissions.

Note: This is only exploitable if structured JSON containing nested sensitive keys is passed to operators and the attacker has authenticated access with permission to read rendered template fields.

How to fix Insertion of Sensitive Information Into Sent Data?

Upgrade apache-airflow-task-sdk to version 1.2.2rc1 or higher.

[,1.2.2rc1)

Insertion of Sensitive Information into Log File

apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File which had mask_secret() applied. The DAG run logs UI exposes variable values from the configuration file in plain text, although they are masked from the subprocess. A Deployment Manager or user who has been granted access to the log UI by a Deployment Manager can obtain confidential data.

Note: The documented security model and workflow isolation guide recommend restricting read access to appropriately privileged users for secure workflows.

How to fix Insertion of Sensitive Information into Log File?

Upgrade apache-airflow-task-sdk to version 1.1.4rc1 or higher.

[,1.1.4rc1)

Information Exposure

apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python.

Affected versions of this package are vulnerable to Information Exposure in the error messages in the UI when a DAG fails during parsing. A user can obtain sensitive information from kwargs passed to operators, by viewing UI tracebacks.

Note: This is only exploitable if authenticated users have permission to view the affected DAG in the UI.

How to fix Information Exposure?

Upgrade apache-airflow-task-sdk to version 1.1.4rc1 or higher.

[,1.1.4rc1)

Insertion of Sensitive Information into Log File

apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the proxies and proxy fields in a Connection. An attacker can obtain sensitive proxy credentials if they are embedded in proxy URLs.

How to fix Insertion of Sensitive Information into Log File?

Upgrade apache-airflow-task-sdk to version 1.1.6rc1 or higher.

[,1.1.6rc1)

Improper Removal of Sensitive Information Before Storage or Transfer

apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python.

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the serialization for rendered template fields when the length exceeds the configured maximum. An attacker can access sensitive information by viewing unmasked secrets displayed in the Rendered Templates UI.

How to fix Improper Removal of Sensitive Information Before Storage or Transfer?

Upgrade apache-airflow-task-sdk to version 1.1.6rc1 or higher.

[,1.1.6rc1)

Insertion of Sensitive Information Into Sent Data

[1.0.0a2,1.1.4rc1)

apache-airflow-task-sdk@1.0.3

Python Task SDK for Apache Airflow DAG Authors

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically