apache-airflow@2.9.1rc2 vulnerabilities

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of configuration variables belonging to other DAG author users. If these variables contain sensitive values, which is a fact out of the attacking user's control, they will be exposed.

Upgrade apache-airflow to version 2.10.3rc1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure which allows authenticated users with audit log access to see sensitive unencrypted stored values set via the airflow CLI.

Note: Users who are using the CLI to set secret variables are advised to manually delete entries with those variables from the log table.

Upgrade apache-airflow to version 2.10.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the ability of DAG authors to add local settings to the DAG folder which then gets executed by the scheduler. An attacker can escalate privileges and execute arbitrary code by manipulating the DAG configuration files. This vulnerability is can be exploited by an attacker with DAG author permissions.

Upgrade apache-airflow to version 2.10.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the example_inlet_event_extra.py DAG configuration. An attacker with DAG trigger permissions can execute arbitrary commands by exploiting this vulnerability.

Upgrade apache-airflow to version 2.10.1 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the provider documentation link due to improper user input sanitization in the get_doc_url_for_provider function. By enticing a user to click on a maliciously crafted provider link, an attacker can execute scripts in the context of the user's browser session.

Upgrade apache-airflow to version 2.10.0 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') that allows an authenticated attacker to inject a malicious link into the provider installation process.

Upgrade apache-airflow to version 2.9.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') which allows an authenticated DAG attacker to craft a doc_md parameter and execute arbitrary code in the scheduler context

Upgrade apache-airflow to version 2.9.3 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information by not returning the Cache-Control header for dynamic content. This allows sensitive data to be written to the local browser cache.

Upgrade apache-airflow to version 2.9.2 or higher.

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the task instance logs. An authenticated attacker can inject malicious data by exploiting this vulnerability.

Upgrade apache-airflow to version 2.9.1 or higher.