apk package
wolfi/airflow-compat
pkg:apk/wolfi/airflow-compat
Vulnerabilities (32)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-5279 | Hig | — | < 2.11.0-r1 | 2.11.0-r1 | May 27, 2025 | When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and r | |
| CVE-2025-47287 | — | < 2.10.5-r44 | 2.10.5-r44 | May 15, 2025 | Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo | ||
| CVE-2025-43859 | Cri | 9.1 | < 2.10.5-r43 | 2.10.5-r43 | Apr 24, 2025 | h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo | |
| CVE-2025-27018 | — | < 2.10.5-r3 | 2.10.5-r3 | Mar 19, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by runni | ||
| CVE-2024-12797 | Med | 6.3 | < 2.10.5-r1 | 2.10.5-r1 | Feb 11, 2025 | Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u | |
| CVE-2025-24795 | — | < 2.10.5-r0 | 2.10.5-r0 | Jan 29, 2025 | The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. On Linux systems, when tempora | ||
| CVE-2025-24794 | — | < 2.10.5-r0 | 2.10.5-r0 | Jan 29, 2025 | The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses p | ||
| CVE-2025-24793 | — | < 2.10.5-r0 | 2.10.5-r0 | Jan 29, 2025 | The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the snowflake. | ||
| CVE-2024-45033 | — | < 2.10.4-r2 | 2.10.4-r2 | Jan 8, 2025 | Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expi | ||
| CVE-2024-12745 | — | < 2.10.4-r2 | 2.10.4-r2 | Dec 24, 2024 | A SQL injection in the Amazon Redshift Python Connector v2.1.4 allows a user to gain escalated privileges via the get_schemas, get_tables, or get_columns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.5 or revert to driver version 2.1.3. | ||
| CVE-2024-56326 | — | < 2.10.4-r2 | 2.10.4-r2 | Dec 23, 2024 | Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t | ||
| CVE-2024-56201 | — | < 2.10.4-r2 | 2.10.4-r2 | Dec 23, 2024 | Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit | ||
| CVE-2024-52804 | — | < 2.10.3-r2 | 2.10.3-r2 | Nov 22, 2024 | Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par | ||
| CVE-2024-52304 | — | < 2.10.3-r2 | 2.10.3-r2 | Nov 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai | ||
| CVE-2024-52303 | — | < 2.10.3-r2 | 2.10.3-r2 | Nov 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the build | ||
| CVE-2024-50378 | — | < 2.10.3-r0 | 2.10.3-r0 | Nov 8, 2024 | Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and we | ||
| CVE-2024-49750 | — | < 2.10.2-r1 | 2.10.2-r1 | Oct 24, 2024 | The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcod | ||
| CVE-2024-21272 | — | < 2.10.2-r1 | 2.10.2-r1 | Oct 15, 2024 | Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL | ||
| CVE-2024-45034 | — | < 2.10.1-r0 | 2.10.1-r0 | Sep 7, 2024 | Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to versi | ||
| CVE-2024-45498 | — | < 2.10.1-r0 | 2.10.1-r0 | Sep 7, 2024 | Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you |
- affected < 2.11.0-r1fixed 2.11.0-r1
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and r
- CVE-2025-47287May 15, 2025affected < 2.10.5-r44fixed 2.10.5-r44
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo
- affected < 2.10.5-r43fixed 2.10.5-r43
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo
- CVE-2025-27018Mar 19, 2025affected < 2.10.5-r3fixed 2.10.5-r3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by runni
- affected < 2.10.5-r1fixed 2.10.5-r1
Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u
- CVE-2025-24795Jan 29, 2025affected < 2.10.5-r0fixed 2.10.5-r0
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. On Linux systems, when tempora
- CVE-2025-24794Jan 29, 2025affected < 2.10.5-r0fixed 2.10.5-r0
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses p
- CVE-2025-24793Jan 29, 2025affected < 2.10.5-r0fixed 2.10.5-r0
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the snowflake.
- CVE-2024-45033Jan 8, 2025affected < 2.10.4-r2fixed 2.10.4-r2
Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expi
- CVE-2024-12745Dec 24, 2024affected < 2.10.4-r2fixed 2.10.4-r2
A SQL injection in the Amazon Redshift Python Connector v2.1.4 allows a user to gain escalated privileges via the get_schemas, get_tables, or get_columns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.5 or revert to driver version 2.1.3.
- CVE-2024-56326Dec 23, 2024affected < 2.10.4-r2fixed 2.10.4-r2
Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t
- CVE-2024-56201Dec 23, 2024affected < 2.10.4-r2fixed 2.10.4-r2
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit
- CVE-2024-52804Nov 22, 2024affected < 2.10.3-r2fixed 2.10.3-r2
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par
- CVE-2024-52304Nov 18, 2024affected < 2.10.3-r2fixed 2.10.3-r2
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai
- CVE-2024-52303Nov 18, 2024affected < 2.10.3-r2fixed 2.10.3-r2
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the build
- CVE-2024-50378Nov 8, 2024affected < 2.10.3-r0fixed 2.10.3-r0
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and we
- CVE-2024-49750Oct 24, 2024affected < 2.10.2-r1fixed 2.10.2-r1
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcod
- CVE-2024-21272Oct 15, 2024affected < 2.10.2-r1fixed 2.10.2-r1
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL
- CVE-2024-45034Sep 7, 2024affected < 2.10.1-r0fixed 2.10.1-r0
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to versi
- CVE-2024-45498Sep 7, 2024affected < 2.10.1-r0fixed 2.10.1-r0
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you
Page 1 of 2