apache-airflow@2.8.4rc1 vulnerabilities

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation for FTP_TLS connections, which are created without setting the proper context using ssl.create_default_context().

Upgrade apache-airflow to version 2.9.0b1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure via the configuration UI page. An attacker can see sensitive provider configuration by setting webserver.expose_config to non-sensitive-only, even though the celery provider is the only community provider currently that has sensitive configurations.

Note:

This is only exploitable if webserver.expose_config configuration is set to non-sensitive-only.

Upgrade apache-airflow to version 2.9.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Preservation of Permissions when the local file task handler sets permissions for all parent folders of the log folder to writable by the group of the application user. An attacker may be able to modify or delete logs by gaining write access to these folders. In configurations in which this attack affects the home directory, the change can also block SSH operations by other users.

Note: This vulnerability only applies if the Airflow installation is in a shared container or environment with other applications or users, which is not the case for Official Airflow Docker reference images. Furthermore, it does not apply if umask is set to 002, which is a common default.

Upgrade apache-airflow to version 2.8.4 or higher.