Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
airflow vulnerabilities and exploits
(subscribe to this query)
6.1
CVSSv3
CVE-2022-43985
In Apache Airflow versions before 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
Apache Airflow
4.3
CVSSv3
CVE-2023-47037
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions prior to 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. ...
Apache Airflow
6.1
CVSSv3
CVE-2017-12614
It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for thi...
Apache Airflow
5.3
CVSSv3
CVE-2021-26697
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and e...
Apache Airflow 2.0.0
6.5
CVSSv3
CVE-2021-26559
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a pri...
Apache Airflow 2.0.0
8.8
CVSSv3
CVE-2023-40195
Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to confi...
Apache Airflow Spark Provider
9.8
CVSSv3
CVE-2023-28706
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: prior to 6.0.0.
Apache Airflow Hive Provider
7.8
CVSSv3
CVE-2023-41267
In the Apache Airflow HDFS Provider, versions before 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was in...
Apache Airflow Hdfs Provider
7.2
CVSSv3
CVE-2023-33234
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connectio...
Apache Airflow Cncf Kubernetes
8.8
CVSSv3
CVE-2023-27604
Apache Airflow Sqoop Provider, versions prior to 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. ...
Apache Airflow Sqoop Provider
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
HTML injection
CVE-2024-35894
SQL
CVE-2024-5105
CVE-2014-100005
CVE-2024-35895
unauthorized
CVE-2024-22120
CVE-2024-35890
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
3
4
5
6
7
8
9
10
NEXT »