Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
airflow vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2023-40273
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for datab...
Apache Airflow
7.5
CVSSv2
CVE-2020-11981
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
Apache Airflow
1 Github repository
3.5
CVSSv2
CVE-2020-11983
An issue was found in Apache Airflow versions 1.10.10 and below. It exists that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
Apache Airflow
5
CVSSv2
CVE-2018-20245
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.
Apache Airflow
4.3
CVSSv2
CVE-2017-12614
It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for thi...
Apache Airflow
5
CVSSv2
CVE-2020-17513
In Apache Airflow versions before 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
Apache Airflow
4.3
CVSSv2
CVE-2020-17515
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions before 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue com...
Apache Airflow
4
CVSSv2
CVE-2020-17511
In Airflow versions before 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
Apache Airflow
3.5
CVSSv2
CVE-2020-17526
Incorrect Session Validation in Apache Airflow Webserver versions before 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect user...
Apache Airflow
6.5
CVSSv2
CVE-2020-11978
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability exists in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (d...
Apache Airflow
1 Metasploit module
4 Github repositories
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304
CVE-2024-4240
arbitrary
CVE-2024-31601
XSS
CVE-2023-20198
CVE-2024-4256
CVE-2024-3342
encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »