pkg:PyPI/apache-airflow

All known vulnerabilities

• CRITICAL9.8CVE-2020-13927⚠ KEVAuthentication bypass in Apache Airflow
  from 0, < 1.10.11
• CRITICAL9.8CVE-2020-13927⚠ KEVAuthentication bypass in Apache Airflow
  from 0, < 1.10.11
• HIGH8.8⚠ KEVRemote code execution (RCE) in Apache Airflow
  from 0, < 1.10.11rc1
• HIGH8.8⚠ KEVRemote code execution (RCE) in Apache Airflow
  from 0, < 1.10.11rc1
• CRITICAL9.8Apache Airflow Providers Edge3 exposes internal API allowing RCE in web server context
  from 0, < 2.0.0
• CRITICAL9.8Apache Airflow: Privilege escalation using airflow logs
  from 0, < 2.6.0
• CRITICAL9.8Apache Airflow: Privilege escalation using airflow logs
  from 0, < 2.6.0b1
• CRITICAL9.8Apache Airflow Sqoop Provider Improper Input Validation vulnerability
  from 0, < 3.1.1
• CRITICAL9.8Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow
  from 0, < 2.5.1
• CRITICAL9.8Apache Airflow Pinot provider allowed Command Injection
  from 0, < 2.3.0
• CRITICAL9.8Apache Airlfow Pig Provider RCE
  from 0, < 2.3.0
• CRITICAL9.8Session Fixation
  >= 2.2.4, < 2.3.4rc1
• CRITICAL9.8Session Fixation
  >= 2.2.4, < 2.3.4rc1
• CRITICAL9.8Apache Airflow: Variable Import endpoint missed authentication check
  >= 2.0.0, < 2.1.3
• CRITICAL9.8Apache Airflow: Variable Import endpoint missed authentication check
  >= 2.0.0, < 2.1.3
• CRITICAL9.8Insecure default config of Celery worker in Apache Airflow
  from 0, < 1.10.11rc1
• CRITICAL9.8Insecure default config of Celery worker in Apache Airflow
  from 0, < 1.10.11
• CRITICAL9.8Command injection via Celery broker in Apache Airflow
  from 0, < 1.10.11rc1
• CRITICAL9.8Command injection via Celery broker in Apache Airflow
  from 0, < 1.10.11rc1
• CRITICAL9.8Apache Airflow vulnerable to XSS
  from 0, < 1.9.0
• CRITICAL9.8Apache Airflow vulnerable to XSS
  from 0, < 1.9.0
• CRITICAL9.1Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
  >= 3.0.0, < 3.2.2
• CRITICAL9.1Apache Airflow: Airflow Logout Not Invalidating JWT
  >= 3.0.0, < 3.2.0
• HIGH8.8Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
  >= 3.2.0, < 3.2.2
• HIGH8.8Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
  >= 3.1.8, < 3.2.0
• HIGH8.8Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
  >= 3.1.8, < 3.2.0
• HIGH8.8Apache Airflow: Command Injection in an example DAG
  >= 2.10.0, < 2.10.1
• HIGH8.8Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes
  from 0, < 2.10.1
• HIGH8.8Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes
  from 0, < 2.10.1
• HIGH8.8Apache Airflow: Command Injection in an example DAG
  from 0, <= 2.10.0-NA
• HIGH8.8Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler
  >= 2.4.0, < 2.9.3
• HIGH8.8Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler
  >= 2.4.0, < 2.9.3
• HIGH8.8Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges
  from 0, < 2.6.0
• HIGH8.8Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges
  from 0, < 2.6.0b1
• HIGH8.8Apache Airflow <2.4.0 has an RCE in a bash example
  from 0, < 2.4.0
• HIGH8.8Apache Airflow <2.4.0 has an RCE in a bash example
  from 0, < 2.4.0
• HIGH8.8Apache Airflow: RCE in example DAGs
  from 0, < 2.2.4
• HIGH8.8Apache Airflow: RCE in example DAGs
  from 0, < 2.2.4
• HIGH8.8Apache Airflow vulnerable to CSRF Attacks
  from 0, < 1.10.3b1
• HIGH8.8Apache Airflow vulnerable to CSRF Attacks
  from 0, < 1.10.3
• HIGH8.8Cross-Site Request Forgery (CSRF) in Apache Airflow
  from 0, < 1.9.0
• HIGH8.8Cross-Site Request Forgery (CSRF) in Apache Airflow
  from 0, < 1.9.0
• HIGH8.8Improper Input Validation in Apache Airflow resulting in Remote Code Execution
  from 0, < 1.9.0
• HIGH8.8Improper Input Validation in Apache Airflow resulting in Remote Code Execution
  from 0, < 1.9.0
• HIGH8.4Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information
  from 0, < 2.11.1
• HIGH8.1Apache Airflow: RCE by race condition in example_xcom dag
  from 0, < 3.2.0
• HIGH8.1Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
  >= 3.1.0, < 3.1.8
• HIGH8.1Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
  >= 3.0.0, < 3.1.8
• HIGH8.1Apache Airflow: Ignored Airflow Permissions
  >= 2.8.0, < 2.8.3rc1
• HIGH8.1Apache Airflow: Ignored Airflow Permissions
  >= 2.8.0, < 2.8.3rc1
• HIGH8.1Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature
  from 0, < 2.7.0b1
• HIGH8.1Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature
  from 0, < 2.7.0
• HIGH8.1Session still functional after user is deactivated
  from 0, < 2.4.2rc1
• HIGH8.1Session still functional after user is deactivated
  from 0, < 2.4.1rc1
• HIGH8.0Session fixation in Apache Airflow web interface
  from 0, < 2.7.0rc2
• HIGH8.0Session fixation in Apache Airflow web interface
  from 0, < 2.7.1rc1
• HIGH7.7Incorrect Session Validation in Apache Airflow
  from 0, < 1.10.14
• HIGH7.7Incorrect Session Validation in Apache Airflow
  from 0, < 1.10.14
• HIGH7.5Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation
  >= 3.2.0, < 3.2.2
• HIGH7.5Apache Airflow: JWT token appearing in logs
  >= 3.0.0, < 3.2.0
• HIGH7.5Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
  from 0, < 3.2.0
• HIGH7.5Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
  >= 3.0.0, < 3.2.0
• HIGH7.5Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
  >= 3.0.0, < 3.1.8
• HIGH7.5Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
  >= 3.0.0, < 3.1.8
• HIGH7.5Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
  >= 3.0.0, < 3.1.8
• HIGH7.5Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
  >= 3.0.0, < 3.1.8
• HIGH7.5Apache Airflow: proxy credentials for various providers might leak in task logs
  from 0, < 3.1.6
• HIGH7.5Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated
  >= 3.1.0, < 3.1.6
• HIGH7.5Apache Airflow: proxy credentials for various providers might leak in task logs
  >= 3.0.0b1, < 3.1.6
• HIGH7.5Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated
  >= 3.1.0, < 3.1.6
• HIGH7.5Apache Airflow: Sensitive configuration values are not masked in the logs by default
  from 0, < 2.10.3
• HIGH7.5Apache Airflow: Potential pickle deserialization vulnerability in XComs
  from 0, < 2.8.1rc1
• HIGH7.5Apache Airflow: Potential pickle deserialization vulnerability in XComs
  from 0, < 2.8.1
• HIGH7.5Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
  >= 1.10.0, < 2.7.0
• HIGH7.5apache-airflow-providers-apache-drill Improper Input Validation vulnerability
  from 0, < 2.4.3
• HIGH7.5Apache Airflow Drill Provider vulnerable to improper input validation
  from 0, < 2.3.2
• HIGH7.5Apache Airflow prior to 2.3.1 may include sensitive values in rendered template
  from 0, < 2.3.1
• HIGH7.5Apache Airflow prior to 2.3.1 may include sensitive values in rendered template
  from 0, < 2.3.1
• HIGH7.5Format String Vulnerability
  >= 2.3.0, < 2.4.0rc1
• HIGH7.5Format String Vulnerability
  >= 2.3.0, < 2.4.0b1
• HIGH7.5Improper Certificate Validation in Apache Airflow
  from 0, < 1.10.1
• HIGH7.5Improper Certificate Validation in Apache Airflow
  from 0, < 1.10.1
• HIGH7.3Apache Airflow: Arbitrary import in custom deadline-reference deserialization
  from 0, < 3.2.2
• HIGH7.2Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)
  from 0, < 3.2.0
• MEDIUM6.5Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path
  from 0, < 3.2.2
• MEDIUM6.5Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler
  from 0, < 3.2.2
• MEDIUM6.5Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking
  from 0, < 3.2.2
• MEDIUM6.5Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response
  from 0, < 3.2.2
• MEDIUM6.5Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
  from 0, < 3.1.8
• MEDIUM6.5Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)
  >= 3.0.0, < 3.2.0
• MEDIUM6.5Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)
  >= 3.0.0, < 3.2.0
• MEDIUM6.5Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli
  from 0, < 2.11.1
• MEDIUM6.5Apache Airflow: Disclosure of secrets to UI via kwargs
  from 0, < 2.11.1
• MEDIUM6.5Apache Airflow: Airflow externalLogUrl Permission Bypass
  >= 3.1.0, < 3.1.7
• MEDIUM6.5Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors
  >= 3.0.0, < 3.1.7
• MEDIUM6.5Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors
  from 0, < 3.1.7
• MEDIUM6.5Apache Airflow: Airflow externalLogUrl Permission Bypass
  >= 3.1.0, < 3.1.7
• MEDIUM6.5Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI
  >= 3.1.0, < 3.1.5
• MEDIUM6.5Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI
  >= 3.1.0, < 3.1.4
• MEDIUM6.5Apache Airflow: Connection sensitive details exposed to users with READ permissions
  >= 3.0.3, < 3.0.4