apache-airflow@2.8.0rc4 vulnerabilities

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation for FTP_TLS connections, which are created without setting the proper context using ssl.create_default_context().

Upgrade apache-airflow to version 2.9.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure via the configuration UI page. An attacker can see sensitive provider configuration by setting webserver.expose_config to non-sensitive-only, even though the celery provider is the only community provider currently that has sensitive configurations.

Note:

This is only exploitable if webserver.expose_config configuration is set to non-sensitive-only.

Upgrade apache-airflow to version 2.9.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Default Permissions that allow Ops and Viewers users to view all information in audit logs, including DAG names and usernames they are not permitted to view.

Upgrade apache-airflow to version 2.8.2rc1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper permission checks in the API and UI components. An attacker can view DAG code and import errors for DAGs they are not authorized to access by exploiting this vulnerability.

Upgrade apache-airflow to version 2.8.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation of input during the deserialization process of XCom data. An attacker can execute arbitrary code by submitting crafted input that bypasses the protection of the enable_xcom_pickling=False configuration setting, leading to poisoned data after deserialization.

Upgrade apache-airflow to version 2.8.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Missing Authorization via the permission verification process. An attacker can read the source code of a DAG without having the proper permissions by exploiting this vulnerability.

Upgrade apache-airflow to version 2.8.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) that allows triggering a DAG in a GET request, by convincing a user who is authenticated to the Airflow UI to visit a malicious website in the same browser.

Upgrade apache-airflow to version 2.8.0 or higher.