apache-airflow@1.10.13rc1 vulnerabilities
Programmatically author, schedule and monitor data pipelines
-
latest version
2.10.3
-
latest non vulnerable version
-
first published
8 years ago
-
latest version published
17 days ago
-
licenses detected
- [0,)
Direct Vulnerabilities
Known vulnerabilities in the apache-airflow package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of configuration variables belonging to other DAG author users. If these variables contain sensitive values, which is a fact out of the attacking user's control, they will be exposed. How to fix Insertion of Sensitive Information into Log File? Upgrade |
[,2.10.3rc1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Uninitialized Memory Exposure which allows authenticated users with audit log access to see sensitive unencrypted stored values set via the airflow CLI. Note: Users who are using the CLI to set secret variables are advised to manually delete entries with those variables from the log table. How to fix Uninitialized Memory Exposure? Upgrade |
[,2.10.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the ability of DAG authors to add local settings to the DAG folder which then gets executed by the scheduler. An attacker can escalate privileges and execute arbitrary code by manipulating the DAG configuration files. This vulnerability is can be exploited by an attacker with DAG author permissions. How to fix Execution with Unnecessary Privileges? Upgrade |
[,2.10.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the How to fix Improper Encoding or Escaping of Output? Upgrade |
[,2.10.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the provider documentation link due to improper user input sanitization in the How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.10.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') that allows an authenticated attacker to inject a malicious link into the provider installation process. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade |
[,2.9.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information by not returning the How to fix Use of Web Browser Cache Containing Sensitive Information? Upgrade |
[,2.9.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Certificate Validation for How to fix Improper Certificate Validation? Upgrade |
[,2.9.0b1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Incorrect Default Permissions that allow Ops and Viewers users to view all information in audit logs, including DAG names and usernames they are not permitted to view. How to fix Incorrect Default Permissions? Upgrade |
[,2.8.2rc1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper permission checks in the API and UI components. An attacker can view DAG code and import errors for DAGs they are not authorized to access by exploiting this vulnerability. How to fix Exposure of Resource to Wrong Sphere? Upgrade |
[,2.8.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Authorization due to improper validation of the How to fix Improper Authorization? Upgrade |
[,2.6.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation of input during the deserialization process of XCom data. An attacker can execute arbitrary code by submitting crafted input that bypasses the protection of the How to fix Deserialization of Untrusted Data? Upgrade |
[,2.8.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Missing Authorization via the permission verification process. An attacker can read the source code of a DAG without having the proper permissions by exploiting this vulnerability. How to fix Missing Authorization? Upgrade |
[,2.8.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Denial of Service (DoS) allowing an attacker to cause a service disruption by manipulating the How to fix Denial of Service (DoS)? Upgrade |
[,2.6.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some NOTE: This was thought to be fixed in version 2.7.2, with the publication of CVE-2023-42792, but it was missed. How to fix Improper Access Control? Upgrade |
[,2.8.0b1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control via the How to fix Improper Access Control? Upgrade |
[,2.8.0b1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Incorrect Authorization in This vulnerability is the same one described by CVE-2023-40611, which has now been fixed. How to fix Incorrect Authorization? Upgrade |
[,2.7.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control in handling task instances. A user can read information about task instances in other DAGs. How to fix Improper Access Control? Upgrade |
[,2.7.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control allowing authenticated users to list warnings for all DAGs, even if the user had no permission reveal the How to fix Improper Access Control? Upgrade |
[,2.7.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some NOTE: This was thought to be fixed in version 2.7.2, but was missed and later addressed with the publication of CVE-2023-48291. How to fix Improper Access Control? Upgrade |
[,2.7.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure due to the improper access control mechanism, an authorized user with read access to specific Directed Acyclic Graphs (DAGs) can access information about task instances in other DAGs. Note: This is only exploitable if the user has been granted read access to specific DAGs. How to fix Information Exposure? Upgrade |
[,2.7.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Insecure Defaults when it had support for the deserialize flag by default in the 'xcomEntries' API. This was an unsafe default, as deserialization may instantiate arbitrary objects. How to fix Insecure Defaults? Upgrade |
[,2.7.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Incorrect Authorization in NOTE: This vulnerability was originally marked as fixed in 2.7.1 but the fix did not make it into that version. It was subsequently fixed in 2.7.3 and also assigned CVE-2023-47037. How to fix Incorrect Authorization? Upgrade |
[,2.7.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure in a rendered template generated with How to fix Information Exposure? Upgrade |
[,2.7.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Denial of Service (DoS) that can be exploited by an authenticated user with Note: Malicious actors can leverage this vulnerability to establish harmful connections with the server. Mitigation: Administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. How to fix Denial of Service (DoS)? Upgrade |
[,2.7.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Certificate Validation. Due to the improper validation in the SSL context, an attacker could potentially intercept the client's communication in a MITM position. This vulnerability allows for the acceptance of any server's X.509 certificate leading to possible disclosure of mail server credentials or mail content. Note: This is only exploitable if the default SSL context is being used. The attacker will need to inject themselves within the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications. How to fix Improper Certificate Validation? Upgrade |
[,2.7.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Session Fixation. An authenticated user can continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Note:
Other than manually cleaning the session database (for database session backend), or changing the How to fix Session Fixation? Upgrade |
[,2.7.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the "Run Task" feature, which allows users to execute code in the webserver context and access certain DAGs. How to fix Execution with Unnecessary Privileges? Upgrade |
[,2.6.0b1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Input Validation which allows an authenticated user to use crafted input to make the current request hang. How to fix Improper Input Validation? Upgrade |
[,2.6.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Incorrect Authorization due to improper validation of the How to fix Incorrect Authorization? Upgrade |
[,2.6.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Directory Traversal by manipulating the How to fix Directory Traversal? Upgrade |
[,2.6.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure via the Note:
Exploiting this vulnerability requires someone with access to How to fix Information Exposure? Upgrade |
[,2.6.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Privilege Escalation due to missing permissions validation in the Note:
Default permissions are set to How to fix Privilege Escalation? Upgrade |
[,2.6.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization via the task instance details page in the UI. How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.6.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure such that the UI traceback contains information that might be useful for a potential attacker to better target their attack. How to fix Information Exposure? Upgrade |
[,2.5.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Command Injection due to lack of sanitization of input to the How to fix Command Injection? Upgrade |
[,2.5.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Open Redirect in the webserver's How to fix Open Redirect? Upgrade |
[,2.4.3)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure due to allowing an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). How to fix Information Exposure? Upgrade |
[,2.3.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Command Injection by allowing an attacker with UI access who can trigger How to fix Command Injection? Upgrade |
[,2.4.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Open Redirect in the webserver's How to fix Open Redirect? Upgrade |
[,2.4.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.4.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Access Restriction Bypass in the How to fix Access Restriction Bypass? Upgrade |
[,2.4.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure due to an insecure How to fix Information Exposure? Upgrade |
[,2.3.4)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Trigger DAG with config" screen, which is susceptible to XSS attacks via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.2.4)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Command Injection via example DAGs that accept user provided parameters as a result of a lacking sanitization process, making them susceptible to OS Command Injection from the web UI. How to fix Command Injection? Upgrade |
[,2.2.4)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control by allowing users with "can_create" permissions on DAG Runs to create Dag Runs for dags that they don't have "edit" permissions for. How to fix Improper Access Control? Upgrade |
[,2.2.0)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure. If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. How to fix Information Exposure? Upgrade |
[,2.1.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,1.10.15)
[2.0.0b1,2.0.2)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Privilege Escalation. Improper access control on the configurations endpoint for the Stable API allows users with How to fix Privilege Escalation? Upgrade |
[,2.0.1)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Authentication. Given a default config, it allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for How to fix Improper Authentication? Upgrade |
[,1.10.14)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). The Charts and Query View of the old (Flask-admin based) UI were vulnerable to SSRF attack. How to fix Server-Side Request Forgery (SSRF)? Upgrade |
[,1.10.13)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Credential Exposure. When creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadata. The same occurs when creating a Connection with a password field. How to fix Credential Exposure? Upgrade |
[,1.10.13)
|
apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.0.2)
|