VYPR

apk package

chainguard/airflow-compat

pkg:apk/chainguard/airflow-compat

Vulnerabilities (32)

  • CVE-2024-45314Sep 4, 2024
    affected < 2.10.3-r0fixed 2.10.3-r0

    Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch f

  • CVE-2024-41937Aug 21, 2024
    affected < 2.10.0-r0fixed 2.10.0-r0

    Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user t

  • CVE-2024-42367Aug 9, 2024
    affected < 2.9.3-r2fixed 2.9.3-r2

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director

  • CVE-2024-42447Aug 5, 2024
    affected < 2.9.3-r2fixed 2.9.3-r2

    Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.   * FAB prov

  • CVE-2024-39877Jul 17, 2024
    affected < 2.9.3-r0fixed 2.9.3-r0

    Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users sho

  • CVE-2024-39863Jul 17, 2024
    affected < 2.9.3-r0fixed 2.9.3-r0

    Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

  • CVE-2024-6345HigJul 15, 2024
    affected < 2.9.3-r1fixed 2.9.3-r1

    A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti

  • CVE-2024-39689Jul 5, 2024
    affected < 2.9.2-r2fixed 2.9.2-r2

    Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

  • CVE-2024-37891Jun 17, 2024
    affected < 2.9.2-r1fixed 2.9.2-r1

    urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'

  • CVE-2024-25142Jun 14, 2024
    affected < 2.9.2-r0fixed 2.9.2-r0

    Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.  Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This i

  • CVE-2024-35255Jun 11, 2024
    affected < 2.9.2-r0fixed 2.9.2-r0

    Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

  • CVE-2024-35195MedMay 20, 2024
    affected < 2.9.1-r1fixed 2.9.1-r1

    Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes

Page 2 of 2