Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
airflow vulnerabilities and exploits
(subscribe to this query)
668
VMScore
CVE-2020-11981
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
Apache Airflow
1 Github repository
312
VMScore
CVE-2020-11983
An issue was found in Apache Airflow versions 1.10.10 and below. It exists that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
Apache Airflow
NA
CVE-2023-35908
Apache Airflow, versions prior to 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
Apache Airflow
NA
CVE-2023-25695
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: prior to 2.5.2.
Apache Airflow
445
VMScore
CVE-2021-35936
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows rea...
Apache Airflow
NA
CVE-2022-38054
In Apache Airflow versions 2.2.4 up to and including 2.3.3, the `database` webserver session backend was susceptible to session fixation.
Apache Airflow
NA
CVE-2022-38170
In Apache Airflow before 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary fil...
Apache Airflow
312
VMScore
CVE-2018-20244
In Apache Airflow prior to 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
Apache Airflow
445
VMScore
CVE-2018-20245
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.
Apache Airflow
NA
CVE-2022-43985
In Apache Airflow versions before 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
Apache Airflow
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
spoof
CVE-2024-34928
CVE-2024-5291
deserialization
CVE-2024-4471
CVE-2024-4956
CVE-2024-32002
CVE-2024-5227
unspecified
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »