apk package
wolfi/airflow-bitnami-compat
pkg:apk/wolfi/airflow-bitnami-compat
Vulnerabilities (32)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45314 | — | < 2.10.3-r0 | 2.10.3-r0 | Sep 4, 2024 | Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch f | ||
| CVE-2024-41937 | — | < 2.10.0-r0 | 2.10.0-r0 | Aug 21, 2024 | Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user t | ||
| CVE-2024-42367 | — | < 2.9.3-r2 | 2.9.3-r2 | Aug 9, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director | ||
| CVE-2024-42447 | — | < 2.9.3-r2 | 2.9.3-r2 | Aug 5, 2024 | Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. * FAB prov | ||
| CVE-2024-39877 | — | < 2.9.3-r0 | 2.9.3-r0 | Jul 17, 2024 | Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users sho | ||
| CVE-2024-39863 | — | < 2.9.3-r0 | 2.9.3-r0 | Jul 17, 2024 | Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. | ||
| CVE-2024-6345 | Hig | 8.8 | < 2.9.3-r1 | 2.9.3-r1 | Jul 15, 2024 | A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti | |
| CVE-2024-39689 | — | < 2.9.2-r2 | 2.9.2-r2 | Jul 5, 2024 | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro | ||
| CVE-2024-37891 | — | < 2.9.2-r1 | 2.9.2-r1 | Jun 17, 2024 | urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it' | ||
| CVE-2024-25142 | — | < 2.9.2-r0 | 2.9.2-r0 | Jun 14, 2024 | Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This i | ||
| CVE-2024-35255 | — | < 2.9.2-r0 | 2.9.2-r0 | Jun 11, 2024 | Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability | ||
| CVE-2024-35195 | Med | 5.6 | < 2.9.1-r1 | 2.9.1-r1 | May 20, 2024 | Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes |
- CVE-2024-45314Sep 4, 2024affected < 2.10.3-r0fixed 2.10.3-r0
Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch f
- CVE-2024-41937Aug 21, 2024affected < 2.10.0-r0fixed 2.10.0-r0
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user t
- CVE-2024-42367Aug 9, 2024affected < 2.9.3-r2fixed 2.9.3-r2
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
- CVE-2024-42447Aug 5, 2024affected < 2.9.3-r2fixed 2.9.3-r2
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. * FAB prov
- CVE-2024-39877Jul 17, 2024affected < 2.9.3-r0fixed 2.9.3-r0
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users sho
- CVE-2024-39863Jul 17, 2024affected < 2.9.3-r0fixed 2.9.3-r0
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
- affected < 2.9.3-r1fixed 2.9.3-r1
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti
- CVE-2024-39689Jul 5, 2024affected < 2.9.2-r2fixed 2.9.2-r2
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro
- CVE-2024-37891Jun 17, 2024affected < 2.9.2-r1fixed 2.9.2-r1
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'
- CVE-2024-25142Jun 14, 2024affected < 2.9.2-r0fixed 2.9.2-r0
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This i
- CVE-2024-35255Jun 11, 2024affected < 2.9.2-r0fixed 2.9.2-r0
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
- affected < 2.9.1-r1fixed 2.9.1-r1
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes
Page 2 of 2