Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
By Recent Activity
apache airflow vulnerabilities and exploits
(subscribe to this query)
5
CVSSv2
CVE-2021-26697
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and...
Apache Airflow 2.0.0
4
CVSSv2
CVE-2021-26559
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a...
Apache Airflow 2.0.0
3.5
CVSSv2
CVE-2020-17526
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect...
Apache Airflow
4
CVSSv2
CVE-2020-17511
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field....
Apache Airflow
5
CVSSv2
CVE-2020-17513
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack....
Apache Airflow
4.3
CVSSv2
CVE-2020-17515
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue...
Apache Airflow
1 Github repository available
7.5
CVSSv2
CVE-2020-13927
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented...
Apache Airflow
4.3
CVSSv2
CVE-2020-13944
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit....
Apache Airflow
6.5
CVSSv2
CVE-2020-11978
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow...
Apache Airflow
7.5
CVSSv2
CVE-2020-11982
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and...
Apache Airflow
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
unprivileged
CVE-2016-8138
CVE-2016-8155
local file inclusion
CVE-2016-8111
CVE-2021-27730
XML external entity
CVE-2021-21973
CVE-2021-21972
1
2
3
NEXT »
Vulmon