Apache

Airflow

145 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 1.2%
  • Veröffentlicht 07.10.2022 07:15:08
  • Zuletzt bearbeitet 21.11.2024 07:23:36

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

  • EPSS 1.57%
  • Veröffentlicht 21.09.2022 08:15:08
  • Zuletzt bearbeitet 27.05.2025 19:15:23

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.

  • EPSS 1.45%
  • Veröffentlicht 21.09.2022 08:15:08
  • Zuletzt bearbeitet 27.05.2025 19:15:23

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.

  • EPSS 1.88%
  • Veröffentlicht 02.09.2022 07:15:07
  • Zuletzt bearbeitet 21.11.2024 07:15:39

In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.

  • EPSS 0.59%
  • Veröffentlicht 02.09.2022 07:15:07
  • Zuletzt bearbeitet 21.11.2024 07:15:55

In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing loc...

  • EPSS 2.56%
  • Veröffentlicht 25.02.2022 09:15:06
  • Zuletzt bearbeitet 21.11.2024 06:32:00

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.

  • EPSS 77.88%
  • Veröffentlicht 25.02.2022 09:15:06
  • Zuletzt bearbeitet 21.11.2024 06:50:05

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

  • EPSS 1.71%
  • Veröffentlicht 20.01.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:32:01

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

  • EPSS 80.94%
  • Veröffentlicht 09.09.2021 15:15:09
  • Zuletzt bearbeitet 21.11.2024 06:17:23

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, informati...

  • EPSS 4.02%
  • Veröffentlicht 16.08.2021 08:15:11
  • Zuletzt bearbeitet 21.11.2024 06:12:47

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no...