Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
airflow vulnerabilities and exploits
(subscribe to this query)
6.1
CVSSv3
CVE-2017-12614
It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for thi...
Apache Airflow
7.5
CVSSv3
CVE-2022-40604
In Apache Airflow 2.3.0 up to and including 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.
Apache Airflow
6.1
CVSSv3
CVE-2022-40754
In Apache Airflow 2.3.0 up to and including 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.
Apache Airflow
6.5
CVSSv3
CVE-2021-26559
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a pri...
Apache Airflow 2.0.0
5.3
CVSSv3
CVE-2021-26697
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and e...
Apache Airflow 2.0.0
9.8
CVSSv3
CVE-2023-28706
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: prior to 6.0.0.
Apache Airflow Hive Provider
7.8
CVSSv3
CVE-2023-41267
In the Apache Airflow HDFS Provider, versions before 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was in...
Apache Airflow Hdfs Provider
7.2
CVSSv3
CVE-2023-33234
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connectio...
Apache Airflow Cncf Kubernetes
8.8
CVSSv3
CVE-2023-40195
Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to confi...
Apache Airflow Spark Provider
8.8
CVSSv3
CVE-2023-27604
Apache Airflow Sqoop Provider, versions prior to 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. ...
Apache Airflow Sqoop Provider
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223
CVE-2024-0044
information disclosure
CVE-2024-35753
HTML injection
CVE-2024-21306
CVE-2024-35733
SQL injection
CVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
3
4
5
6
7
8
9
10
NEXT »