apache-airflow@2.0.0 vulnerabilities

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the ability of DAG authors to add local settings to the DAG folder which then gets executed by the scheduler. An attacker can escalate privileges and execute arbitrary code by manipulating the DAG configuration files. This vulnerability is can be exploited by an attacker with DAG author permissions.

Upgrade apache-airflow to version 2.10.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the example_inlet_event_extra.py DAG configuration. An attacker with DAG trigger permissions can execute arbitrary commands by exploiting this vulnerability.

Upgrade apache-airflow to version 2.10.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the provider documentation link due to improper user input sanitization in the get_doc_url_for_provider function. By enticing a user to click on a maliciously crafted provider link, an attacker can execute scripts in the context of the user's browser session.

Upgrade apache-airflow to version 2.10.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') that allows an authenticated attacker to inject a malicious link into the provider installation process.

Upgrade apache-airflow to version 2.9.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information by not returning the Cache-Control header for dynamic content. This allows sensitive data to be written to the local browser cache.

Upgrade apache-airflow to version 2.9.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation for FTP_TLS connections, which are created without setting the proper context using ssl.create_default_context().

Upgrade apache-airflow to version 2.9.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Default Permissions that allow Ops and Viewers users to view all information in audit logs, including DAG names and usernames they are not permitted to view.

Upgrade apache-airflow to version 2.8.2rc1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper permission checks in the API and UI components. An attacker can view DAG code and import errors for DAGs they are not authorized to access by exploiting this vulnerability.

Upgrade apache-airflow to version 2.8.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Authorization due to improper validation of the dag_id, allowing unauthorized read access to a DAG through the URL.

Upgrade apache-airflow to version 2.6.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation of input during the deserialization process of XCom data. An attacker can execute arbitrary code by submitting crafted input that bypasses the protection of the enable_xcom_pickling=False configuration setting, leading to poisoned data after deserialization.

Upgrade apache-airflow to version 2.8.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Missing Authorization via the permission verification process. An attacker can read the source code of a DAG without having the proper permissions by exploiting this vulnerability.

Upgrade apache-airflow to version 2.8.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Denial of Service (DoS) allowing an attacker to cause a service disruption by manipulating the run_id parameter.

Upgrade apache-airflow to version 2.6.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources that the user had no access to.

NOTE: This was thought to be fixed in version 2.7.2, with the publication of CVE-2023-42792, but it was missed.

Upgrade apache-airflow to version 2.8.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control via the varimport endpoint. A user who lacks the variable edit permission can edit a variable.

Upgrade apache-airflow to version 2.8.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Authorization in forms.py that allows authenticated users with DAG-view permission to modify some DAG run detail values (such as configuration parameters, start date, etc.) when submitting notes.

This vulnerability is the same one described by CVE-2023-40611, which has now been fixed.

Upgrade apache-airflow to version 2.7.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control in handling task instances. A user can read information about task instances in other DAGs.

Upgrade apache-airflow to version 2.7.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control allowing authenticated users to list warnings for all DAGs, even if the user had no permission reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.

Upgrade apache-airflow to version 2.7.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources that the user had no access to.

NOTE: This was thought to be fixed in version 2.7.2, but was missed and later addressed with the publication of CVE-2023-48291.

Upgrade apache-airflow to version 2.7.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure due to the improper access control mechanism, an authorized user with read access to specific Directed Acyclic Graphs (DAGs) can access information about task instances in other DAGs.

Note: This is only exploitable if the user has been granted read access to specific DAGs.

Upgrade apache-airflow to version 2.7.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Insecure Defaults when it had support for the deserialize flag by default in the 'xcomEntries' API. This was an unsafe default, as deserialization may instantiate arbitrary objects.

Upgrade apache-airflow to version 2.7.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Authorization in forms.py that allows authenticated users with DAG-view permission to modify some DAG run detail values (such as configuration parameters, start date, etc.) when submitting notes.

NOTE: This vulnerability was originally marked as fixed in 2.7.1 but the fix did not make it into that version. It was subsequently fixed in 2.7.3 and also assigned CVE-2023-47037.

Upgrade apache-airflow to version 2.7.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure in a rendered template generated with views.py and timezone.py. Users who have access to see the task/dag in the UI can craft a URL, which could unmask the masked configuration of the task.

Upgrade apache-airflow to version 2.7.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Denial of Service (DoS) that can be exploited by an authenticated user with Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server.

Note:

Malicious actors can leverage this vulnerability to establish harmful connections with the server.

Mitigation:

Administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.

Upgrade apache-airflow to version 2.7.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation. Due to the improper validation in the SSL context, an attacker could potentially intercept the client's communication in a MITM position. This vulnerability allows for the acceptance of any server's X.509 certificate leading to possible disclosure of mail server credentials or mail content.

Note:

This is only exploitable if the default SSL context is being used. The attacker will need to inject themselves within the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications.

Upgrade apache-airflow to version 2.7.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Session Fixation. An authenticated user can continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user.

Note: Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there are no mechanisms to force-logout the user.

Upgrade apache-airflow to version 2.7.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the "Run Task" feature, which allows users to execute code in the webserver context and access certain DAGs.

Upgrade apache-airflow to version 2.6.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Input Validation which allows an authenticated user to use crafted input to make the current request hang.

Upgrade apache-airflow to version 2.6.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Authorization due to improper validation of the dag_id parameter, which allows unauthorized read access to a DAG through the URL.

Upgrade apache-airflow to version 2.6.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Directory Traversal by manipulating the run_id parameter due to improper input sanitization, which allows an attacker to perform unauthorized file access outside the intended directory structure.

Upgrade apache-airflow to version 2.6.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure via the Connection edit view, which allows an unauthorized actor to gain access to sensitive information

Note: Exploiting this vulnerability requires someone with access to Connection resources, specifically updating the connection to exploit it.

Upgrade apache-airflow to version 2.6.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Privilege Escalation due to missing permissions validation in the File Task Handler. An attacker can use airflow logs to trigger this vulnerability.

Note: Default permissions are set to group-writeable allowing for impersonation use case.

Upgrade apache-airflow to version 2.6.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization via the task instance details page in the UI.

Upgrade apache-airflow to version 2.6.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure such that the UI traceback contains information that might be useful for a potential attacker to better target their attack.

Upgrade apache-airflow to version 2.5.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Command Injection due to lack of sanitization of input to the LOAD DATA LOCAL INFILE statement, which can be used by an attacker to execute commands on the operating system.

Upgrade apache-airflow to version 2.5.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Open Redirect in the webserver's /login endpoint.

Upgrade apache-airflow to version 2.4.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure due to allowing an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed).

Upgrade apache-airflow to version 2.3.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Command Injection by allowing an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter.

Upgrade apache-airflow to version 2.4.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Open Redirect in the webserver's /confirm endpoint.

Upgrade apache-airflow to version 2.4.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the Trigger DAG with config screen, via the origin query argument due to improper user-input sanitization.

Upgrade apache-airflow to version 2.4.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Access Restriction Bypass in the create_app() function in app.py, which allows an authenticated user with an active session to continue using the session after their account has been deactivated.

Upgrade apache-airflow to version 2.4.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure due to an insecure umask that was configured for numerous Airflow components when running with the --daemon flag. Exploiting this behavior could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.

Upgrade apache-airflow to version 2.3.4 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Trigger DAG with config" screen, which is susceptible to XSS attacks via the origin query argument.

Upgrade apache-airflow to version 2.2.4 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Command Injection via example DAGs that accept user provided parameters as a result of a lacking sanitization process, making them susceptible to OS Command Injection from the web UI.

Upgrade apache-airflow to version 2.2.4 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control by allowing users with "can_create" permissions on DAG Runs to create Dag Runs for dags that they don't have "edit" permissions for.

Upgrade apache-airflow to version 2.2.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Authentication due to missing authentication in the variable import endpoint. This allowed unauthenticated users to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.

Upgrade apache-airflow to version 2.1.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure. If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs.

Upgrade apache-airflow to version 2.1.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the origin parameter, when passed to certain endpoints like /trigger. Note: this is an updated fix for CVE-2020-13944 and CVE-2020-17515.

Upgrade apache-airflow to version 1.10.15, 2.0.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Privilege Escalation. Improper access control on the configurations endpoint for the Stable API allows users with Viewer or User role to get airflow configurations including sensitive information even when [webserver] expose_config is set to False in airflow.cfg.

Upgrade apache-airflow to version 2.0.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Authentication. The lineage endpoint of the deprecated Experimental API was not protected by authentication. This allowed unauthenticated users to hit that endpoint.This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task.

Upgrade apache-airflow to version 2.0.1rc1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.

Upgrade apache-airflow to version 2.0.2 or higher.