Bitnami package
airflow
pkg:bitnami/airflow
Vulnerabilities (109)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-17511 | — | < 1.10.13 | 1.10.13 | Dec 14, 2020 | In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field. | ||
| CVE-2020-17515 | — | < 1.10.15 | 1.10.15 | Dec 11, 2020 | The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. | ||
| CVE-2020-13927 | — | KEV | < 1.10.11 | 1.10.11 | Nov 10, 2020 | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at http | |
| CVE-2020-13944 | — | < 1.10.15 | 1.10.15 | Sep 17, 2020 | In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | ||
| CVE-2020-9485 | — | < 1.10.11 | 1.10.11 | Jul 16, 2020 | An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI. | ||
| CVE-2020-11983 | — | < 1.10.11 | 1.10.11 | Jul 16, 2020 | An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks. | ||
| CVE-2020-11982 | — | < 1.10.11 | 1.10.11 | Jul 16, 2020 | An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and th | ||
| CVE-2020-11981 | — | < 1.10.11 | 1.10.11 | Jul 16, 2020 | An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. | ||
| CVE-2020-11978 | — | KEV | < 1.10.11 | 1.10.11 | Jul 16, 2020 | An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/sche |
- CVE-2020-17511Dec 14, 2020affected < 1.10.13fixed 1.10.13
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
- CVE-2020-17515Dec 11, 2020affected < 1.10.15fixed 1.10.15
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.
- affected < 1.10.11fixed 1.10.11
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at http
- CVE-2020-13944Sep 17, 2020affected < 1.10.15fixed 1.10.15
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
- CVE-2020-9485Jul 16, 2020affected < 1.10.11fixed 1.10.11
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.
- CVE-2020-11983Jul 16, 2020affected < 1.10.11fixed 1.10.11
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
- CVE-2020-11982Jul 16, 2020affected < 1.10.11fixed 1.10.11
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and th
- CVE-2020-11981Jul 16, 2020affected < 1.10.11fixed 1.10.11
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
- affected < 1.10.11fixed 1.10.11
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/sche
Page 6 of 6