VYPR

Bitnami package

airflow

pkg:bitnami/airflow

Vulnerabilities (109)

  • CVE-2022-40127Nov 14, 2022
    affected < 2.4.0fixed 2.4.0

    A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

  • CVE-2022-27949Nov 14, 2022
    affected < 2.3.1fixed 2.3.1

    A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2

  • CVE-2022-43985Nov 2, 2022
    affected < 2.4.2fixed 2.4.2

    In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.

  • CVE-2022-43982Nov 2, 2022
    affected < 2.4.2fixed 2.4.2

    In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.

  • CVE-2022-41672Oct 7, 2022
    affected < 2.4.2fixed 2.4.2

    In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

  • CVE-2022-40754Sep 21, 2022
    affected >= 2.3.0, < 2.3.5fixed 2.3.5

    In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.

  • CVE-2022-40604Sep 21, 2022
    affected >= 2.3.0, < 2.3.5fixed 2.3.5

    In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.

  • CVE-2022-38170Sep 2, 2022
    affected < 2.3.4fixed 2.3.4

    In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary f

  • CVE-2022-38054Sep 2, 2022
    affected >= 2.2.4, < 2.3.4fixed 2.3.4

    In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.

  • CVE-2022-24288Feb 25, 2022
    affected < 2.2.4fixed 2.2.4

    In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

  • CVE-2021-45229Feb 25, 2022
    affected < 2.2.4fixed 2.2.4

    It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.

  • CVE-2021-45230Jan 20, 2022
    affected >= 2.0.0, < 2.2.0fixed 2.2.0

    In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

  • CVE-2021-38540Sep 9, 2021
    affected >= 2.0.0, < 2.1.3fixed 2.1.3

    The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code e

  • CVE-2021-35936Aug 16, 2021
    affected < 2.1.2fixed 2.1.2

    If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows rea

  • CVE-2021-29621Jun 7, 2021
    affected >= 1.10.0, < 1.10.1fixed 1.10.1

    Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Up

  • CVE-2021-28359May 2, 2021
    affected >= 1.0.0, < 1.10.15fixed 1.10.15

    The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemen

  • CVE-2021-26697Feb 17, 2021
    affected >= 2.0.0, < 2.0.1fixed 2.0.1

    The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and e

  • CVE-2021-26559Feb 17, 2021
    affected >= 2.0.0, < 2.0.1fixed 2.0.1

    Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a pri

  • CVE-2020-17526Dec 21, 2020
    affected < 1.10.14fixed 1.10.14

    Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect us

  • CVE-2020-17513Dec 14, 2020
    affected < 1.10.13fixed 1.10.13

    In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.

Page 5 of 6