apache-airflow@2.7.3rc1 vulnerabilities

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation for FTP_TLS connections, which are created without setting the proper context using ssl.create_default_context().

Upgrade apache-airflow to version 2.9.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure via the configuration UI page. An attacker can see sensitive provider configuration by setting webserver.expose_config to non-sensitive-only, even though the celery provider is the only community provider currently that has sensitive configurations.

Note:

This is only exploitable if webserver.expose_config configuration is set to non-sensitive-only.

Upgrade apache-airflow to version 2.9.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Default Permissions that allow Ops and Viewers users to view all information in audit logs, including DAG names and usernames they are not permitted to view.

Upgrade apache-airflow to version 2.8.2rc1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper permission checks in the API and UI components. An attacker can view DAG code and import errors for DAGs they are not authorized to access by exploiting this vulnerability.

Upgrade apache-airflow to version 2.8.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation of input during the deserialization process of XCom data. An attacker can execute arbitrary code by submitting crafted input that bypasses the protection of the enable_xcom_pickling=False configuration setting, leading to poisoned data after deserialization.

Upgrade apache-airflow to version 2.8.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Missing Authorization via the permission verification process. An attacker can read the source code of a DAG without having the proper permissions by exploiting this vulnerability.

Upgrade apache-airflow to version 2.8.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) that allows triggering a DAG in a GET request, by convincing a user who is authenticated to the Airflow UI to visit a malicious website in the same browser.

Upgrade apache-airflow to version 2.8.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources that the user had no access to.

NOTE: This was thought to be fixed in version 2.7.2, with the publication of CVE-2023-42792, but it was missed.

Upgrade apache-airflow to version 2.8.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the parameter description field of a DAG. A DAG author can embed JavaScript, which can be executed on the client side when a user views the DAG details in the browser. This could lead to misleading information being displayed to the user.

Upgrade apache-airflow to version 2.8.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control via the varimport endpoint. A user who lacks the variable edit permission can edit a variable.

Upgrade apache-airflow to version 2.8.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Authorization in forms.py that allows authenticated users with DAG-view permission to modify some DAG run detail values (such as configuration parameters, start date, etc.) when submitting notes.

This vulnerability is the same one described by CVE-2023-40611, which has now been fixed.

Upgrade apache-airflow to version 2.7.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control in handling task instances. A user can read information about task instances in other DAGs.

Upgrade apache-airflow to version 2.7.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Authorization in forms.py that allows authenticated users with DAG-view permission to modify some DAG run detail values (such as configuration parameters, start date, etc.) when submitting notes.

NOTE: This vulnerability was originally marked as fixed in 2.7.1 but the fix did not make it into that version. It was subsequently fixed in 2.7.3 and also assigned CVE-2023-47037.

Upgrade apache-airflow to version 2.7.3 or higher.