Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
apache airflow vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv2
CVE-2021-38540
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote ...
Apache Airflow
1 Github repository
7.5
CVSSv2
CVE-2020-13927
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...
Apache Airflow
1 Metasploit module
1 Github repository
7.5
CVSSv2
CVE-2020-11981
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
Apache Airflow
1 Github repository
7.5
CVSSv2
CVE-2020-11982
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and th...
Apache Airflow
6.8
CVSSv2
CVE-2019-0229
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.
Apache Airflow
6.8
CVSSv2
CVE-2017-17835
In Apache Airflow 1.8.2 and previous versions, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.
Apache Airflow
6.5
CVSSv2
CVE-2022-24288
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
Apache Airflow
6.5
CVSSv2
CVE-2020-11978
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability exists in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (d...
Apache Airflow
1 Metasploit module
4 Github repositories
6.5
CVSSv2
CVE-2017-15720
In Apache Airflow 1.8.2 and previous versions, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.
Apache Airflow
5
CVSSv2
CVE-2021-35936
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows rea...
Apache Airflow
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32976
CVE-2024-33557
CVE-2024-36801
CVE-2024-35654
authentication bypass
CVE-2024-24919
CSRF
code execution
CVE-2024-27348
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »