VYPR

Bitnami package

airflow

pkg:bitnami/airflow

Vulnerabilities (126)

  • CVE-2022-43982MedNov 2, 2022
    affected < 2.4.2fixed 2.4.2

    In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.

  • CVE-2022-41672HigOct 7, 2022
    affected < 2.4.2fixed 2.4.2

    In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

  • CVE-2022-40754MedSep 21, 2022
    affected >= 2.3.0, < 2.3.5fixed 2.3.5

    In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.

  • CVE-2022-40604HigSep 21, 2022
    affected >= 2.3.0, < 2.3.5fixed 2.3.5

    In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.

  • CVE-2022-38170MedSep 2, 2022
    affected < 2.3.4fixed 2.3.4

    In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary f

  • CVE-2022-38054CriSep 2, 2022
    affected >= 2.2.4, < 2.3.4fixed 2.3.4

    In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.

  • CVE-2022-24288HigFeb 25, 2022
    affected < 2.2.4fixed 2.2.4

    In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

  • CVE-2021-45229MedFeb 25, 2022
    affected < 2.2.4fixed 2.2.4

    It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.

  • CVE-2021-45230MedJan 20, 2022
    affected >= 2.0.0, < 2.2.0fixed 2.2.0

    In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

  • CVE-2021-38540CriSep 9, 2021
    affected >= 2.0.0, < 2.1.3fixed 2.1.3

    The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code e

  • CVE-2021-35936MedAug 16, 2021
    affected < 2.1.2fixed 2.1.2

    If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows rea

  • CVE-2021-29621MedJun 7, 2021
    affected >= 1.10.0, < 1.10.1fixed 1.10.1

    Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Up

  • CVE-2021-28359MedMay 2, 2021
    affected >= 1.0.0, < 1.10.15fixed 1.10.15

    The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemen

  • CVE-2021-26697MedFeb 17, 2021
    affected >= 2.0.0, < 2.0.1fixed 2.0.1

    The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and e

  • CVE-2021-26559MedFeb 17, 2021
    affected >= 2.0.0, < 2.0.1fixed 2.0.1

    Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a pri

  • CVE-2020-17526HigDec 21, 2020
    affected < 1.10.14fixed 1.10.14

    Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect us

  • CVE-2020-17513MedDec 14, 2020
    affected < 1.10.13fixed 1.10.13

    In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.

  • CVE-2020-17511MedDec 14, 2020
    affected < 1.10.13fixed 1.10.13

    In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.

  • CVE-2020-17515MedDec 11, 2020
    affected < 1.10.15fixed 1.10.15

    The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.

  • CVE-2020-13927CriKEVNov 10, 2020
    affected < 1.10.11fixed 1.10.11

    The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at http

Page 6 of 7