CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apache » Airflow » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-24288 78 2022-02-25 2022-03-04
6.5
None Remote Low ??? Partial Partial Partial
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
2 CVE-2021-45230 2022-01-20 2022-07-12
4.0
None Remote Low ??? None Partial None
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.
3 CVE-2021-45229 79 XSS 2022-02-25 2022-03-04
4.3
None Remote Medium Not required None Partial None
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.
4 CVE-2021-38540 306 DoS Exec Code 2021-09-09 2021-09-21
7.5
None Remote Low Not required Partial Partial Partial
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
5 CVE-2021-35936 862 2021-08-16 2021-08-24
5.0
None Remote Low Not required Partial None None
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.
6 CVE-2021-28359 79 XSS 2021-05-02 2021-05-10
4.3
None Remote Medium Not required None Partial None
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
7 CVE-2020-17526 2020-12-21 2022-04-26
3.5
None Remote Medium ??? Partial None None
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.
8 CVE-2020-17515 79 XSS 2020-12-11 2022-08-06
4.3
None Remote Medium Not required None Partial None
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.
9 CVE-2020-17513 918 2020-12-14 2020-12-15
5.0
None Remote Low Not required None Partial None
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
10 CVE-2020-17511 312 2020-12-14 2020-12-15
4.0
None Remote Low ??? Partial None None
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
11 CVE-2020-13944 79 XSS 2020-09-17 2022-08-06
4.3
None Remote Medium Not required None Partial None
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
12 CVE-2020-13927 1188 2020-11-10 2022-07-12
7.5
None Remote Low Not required Partial Partial Partial
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default
13 CVE-2020-11983 79 XSS 2020-07-17 2020-07-21
3.5
None Remote Medium ??? None Partial None
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
14 CVE-2020-11982 502 Exec Code 2020-07-17 2020-07-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
15 CVE-2020-11981 78 2020-07-17 2020-07-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
16 CVE-2020-11978 78 2020-07-17 2022-07-12
6.5
None Remote Low ??? Partial Partial Partial
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
17 CVE-2020-9485 79 XSS 2020-07-17 2020-07-21
4.3
None Remote Medium Not required None Partial None
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.
18 CVE-2019-12417 79 XSS 2019-10-30 2019-11-01
3.5
None Remote Medium ??? None Partial None
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
19 CVE-2019-12398 79 XSS 2020-01-14 2020-01-21
3.5
None Remote Medium ??? None Partial None
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
20 CVE-2019-0229 352 CSRF 2019-04-10 2019-04-11
6.8
None Remote Medium Not required Partial Partial Partial
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.
21 CVE-2019-0216 79 XSS 2019-04-10 2019-04-11
3.5
None Remote Medium ??? None Partial None
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
22 CVE-2018-20245 295 2019-01-23 2019-02-20
5.0
None Remote Low Not required None Partial None
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.
23 CVE-2018-20244 79 XSS 2019-02-27 2019-04-12
3.5
None Remote Medium ??? None Partial None
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
24 CVE-2017-17836 255 XSS 2019-01-23 2019-04-19
5.0
None Remote Low Not required Partial None None
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.
25 CVE-2017-17835 352 CSRF 2019-01-23 2019-01-25
6.8
None Remote Medium Not required Partial Partial Partial
In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.
26 CVE-2017-15720 20 Exec Code 2019-01-23 2019-01-25
6.5
None Remote Low ??? Partial Partial Partial
In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.
27 CVE-2017-12614 79 XSS 2018-08-06 2018-10-04
4.3
None Remote Medium Not required None Partial None
It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.
Total number of vulnerabilities : 27   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.