cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-45033,https://securityvulnerability.io/vulnerability/CVE-2024-45033,Insufficient Session Expiration in Apache Airflow Fab Provider,"An insufficient session expiration vulnerability exists in the Apache Airflow Fab Provider, which allows users to remain logged in even after their password has been modified through the admin CLI. This issue was specifically noted in versions prior to 1.5.2, and it poses a risk since users might retain session access despite a password change. In contrast, session handling behaves securely when password changes are initiated via the web server. For enhanced security, it is recommended that users upgrade to version 1.5.2, which addresses this oversight.",Apache,Apache Airflow Fab Provider,8.1,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-08T08:41:39.579Z,0 CVE-2024-45784,https://securityvulnerability.io/vulnerability/CVE-2024-45784,Airflow Versions Before 2.10.3 Vulnerable to Logging Sensitive Configuration Variables,"Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.",Apache,Apache Airflow,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-15T08:20:05.581Z,0 CVE-2024-50378,https://securityvulnerability.io/vulnerability/CVE-2024-50378,Airflow Versions Before 2.10.3 Have a Vulnerability That Allows Unauthorized Access to Sensitive Data,"Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.",Apache,Apache Airflow,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-08T14:37:09.699Z,0 CVE-2024-45034,https://securityvulnerability.io/vulnerability/CVE-2024-45034,Airflow Vulnerability: DAG Authors Can Execute Code During Scheduling,"Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.",Apache,Apache Airflow,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-09-07T07:45:27.654Z,0 CVE-2024-45498,https://securityvulnerability.io/vulnerability/CVE-2024-45498,Arbitrary Command Execution Vulnerability in Airflow,"Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.",Apache,Apache Airflow,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-09-07T07:43:43.899Z,0 CVE-2024-41937,https://securityvulnerability.io/vulnerability/CVE-2024-41937,Apache Airflow Vulnerability: Cross-Site Scripting Attack,"Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.",Apache,Apache Airflow,6.1,MEDIUM,0.0012600000482052565,false,,false,false,false,,,false,false,,2024-08-21T15:31:13.962Z,0 CVE-2024-42447,https://securityvulnerability.io/vulnerability/CVE-2024-42447,Insufficient Session Expiration Vulnerability in Apache Airflow Providers FAB,"An Insufficient Session Expiration vulnerability exists in the Apache Airflow Providers FAB. The affected versions, particularly FAB provider 1.2.1 when used with Apache Airflow 2.9.3, allow users to sidestep the logout process. Additionally, FAB provider 1.2.0 is susceptible across all versions of Apache Airflow. Users operating with these configurations are strongly advised to upgrade to Apache Airflow Providers FAB version 1.2.2 to mitigate the risks and protect their systems. It's also recommended to consistently update Apache Airflow to the latest available version to ensure robust security.",Apache,Apache Airflow Providers Fab,9.8,CRITICAL,0.003220000071451068,false,,false,false,false,,,false,false,,2024-08-05T08:02:31.921Z,0 CVE-2024-39877,https://securityvulnerability.io/vulnerability/CVE-2024-39877,Arbitrary Code Execution Vulnerability in Apache Airflow,"The CVE-2024-39877 vulnerability in Apache Airflow allows authenticated DAG authors to execute arbitrary code in the scheduler context, which is against the Airflow Security model. The affected versions are Apache-airflow 2.4.0 and versions before 2.9.3. Users are advised to upgrade to version 2.9.3 or later to remove the vulnerability. Additionally, Apache CloudStack has a vulnerability (CVE-2024-41107) that allows attackers to bypass authentication with a forged SAML response in versions 4.5.0 to 4.18.2.1 and 4.19.0.0 to 4.19.0.2. Vulnerability patches have been made available in the latest update, and users are encouraged to update to the latest version to address these vulnerabilities. No known exploits by ransomware groups have been reported for these vulnerabilities.",Apache,Apache Airflow,8.8,HIGH,0.0013200000394135714,false,,true,false,false,,,false,false,,2024-07-17T07:54:24.338Z,0 CVE-2024-39863,https://securityvulnerability.io/vulnerability/CVE-2024-39863,Airflow Update: Security Vulnerability Affects Versions Before 2.9.3,"Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. ",Apache,Apache Airflow,5.4,MEDIUM,0.0026199999265372753,false,,false,false,false,,,false,false,,2024-07-17T07:53:31.820Z,0 CVE-2024-25142,https://securityvulnerability.io/vulnerability/CVE-2024-25142,Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow,"Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.  Airflow did not return ""Cache-Control"" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue. ",Apache,Apache Airflow,5.5,MEDIUM,0.0004199999966658652,false,,false,false,false,,,false,false,,2024-06-14T08:25:35.633Z,0 CVE-2024-32077,https://securityvulnerability.io/vulnerability/CVE-2024-32077,Airflow 2.9.0 Vulnerability: Malicious Log Injection Risk,"Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs.  Users are recommended to upgrade to version 2.9.1, which fixes this issue. ",Apache,Apache Airflow,5.4,MEDIUM,0.0014299999456852674,false,,false,false,false,,,false,false,,2024-05-14T10:43:20.299Z,0 CVE-2024-29733,https://securityvulnerability.io/vulnerability/CVE-2024-29733,Improper Certificate Validation vulnerability in Apache Airflow FTP Provider,"Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly. This issue affects Apache Airflow FTP Provider: before 3.7.0. Users are recommended to upgrade to version 3.7.0, which fixes the issue. ",Apache,Apache Airflow Ftp Provider,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-04-21T17:21:55.722Z,0 CVE-2024-31869,https://securityvulnerability.io/vulnerability/CVE-2024-31869,Airflow Versions 2.7.0 through 2.8.4 Vulnerability: Authenticated User Can Access Sensitive Provider Configuration,"Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the ""configuration"" UI page when ""non-sensitive-only"" was set as ""webserver.expose_config"" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your ""expose_config"" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.",Apache,Apache Airflow,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-04-18T07:19:05.033Z,0 CVE-2024-29735,https://securityvulnerability.io/vulnerability/CVE-2024-29735,Improper Preservation of Permissions vulnerability in Apache Airflow,"An improper preservation of permissions vulnerability exists in Apache Airflow versions 2.8.2 through 2.8.3 due to incorrect permission settings for parent directories of the log folder. This vulnerability can inadvertently allow write access to the Unix group of these directories, particularly if Airflow is executed with elevated root access. Users storing log files in their home directory may find their systems affected during SSH operations, as home directories can become group-writable. This issue is mitigated for users running containers with the official Airflow Docker images or those with a predefined umask of 002. Recommended mitigation includes upgrading to Apache Airflow 2.8.4 or adjusting the file task handler's permissions.",Apache,Apache Airflow,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-03-26T16:52:40.770Z,0 CVE-2024-28746,https://securityvulnerability.io/vulnerability/CVE-2024-28746,Apache Airflow Vulnerability Allows Unauthorized Access to Sensitive Data,"A vulnerability in Apache Airflow, affecting versions 2.8.0 to 2.8.2, enables authenticated users with limited permissions to access sensitive resources such as variables and connections via the user interface. This access could lead to unauthorized information disclosure, making it crucial for users to upgrade to version 2.8.3 or newer to secure their environments. It is essential to apply this recommendation to maintain the integrity of the system and protected data.",Apache,Apache Airflow,8.1,HIGH,0.0028699999675154686,false,,false,false,false,,,false,false,,2024-03-14T08:41:03.928Z,0 CVE-2024-26280,https://securityvulnerability.io/vulnerability/CVE-2024-26280,Airflow Vulnerability: Unauthorized Access to Audit Logs,"Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability",Apache,Apache Airflow,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-03-01T11:05:54.480Z,0 CVE-2024-27906,https://securityvulnerability.io/vulnerability/CVE-2024-27906,Apache Airflow Vulnerability Affects DAG Code and Import Errors,"Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability ",Apache,Apache Airflow,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-02-29T11:02:19.310Z,0 CVE-2024-25141,https://securityvulnerability.io/vulnerability/CVE-2024-25141,Mongo Hook Fixes Unexpected SSL Validation Issue,"When ssl was enabled for Mongo Hook, default settings included ""allow_insecure"" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue.",Apache,Apache Airflow Mongo Provider,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-02-20T20:30:28.924Z,0 CVE-2023-50944,https://securityvulnerability.io/vulnerability/CVE-2023-50944,Apache Airflow: Bypass permission verification to read code of other dags,"Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue. ",Apache,Apache Airflow,6.5,MEDIUM,0.0017099999822676182,false,,false,false,false,,,false,false,,2024-01-24T12:58:18.873Z,0 CVE-2023-50943,https://securityvulnerability.io/vulnerability/CVE-2023-50943,Apache Airflow: Potential pickle deserialization vulnerability in XComs,"A vulnerability exists in Apache Airflow that allows malicious actors to exploit XCom data. If an attacker successfully bypasses the configuration setting 'enable_xcom_pickling=False', they can insert harmful data into the XCom, leading to data poisoning upon deserialization. To mitigate this risk, it is essential for users to upgrade to Apache Airflow version 2.8.1 or later, which effectively addresses this issue.",Apache,Apache Airflow,7.5,HIGH,0.007430000230669975,false,,false,false,false,,,false,false,,2024-01-24T12:57:07.287Z,0 CVE-2023-51702,https://securityvulnerability.io/vulnerability/CVE-2023-51702,"Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service","Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster. This behavior was changed in version 7.0.0, which stopped serializing the file contents and started providing the file path instead to read the contents into the trigger. Users are recommended to upgrade to version 7.0.0, which fixes this issue.",Apache,"Apache Airflow Cncf Kubernetes Provider,Apache Airflow",6.5,MEDIUM,0.0013899999903514981,false,,false,false,false,,,false,false,,2024-01-24T12:56:17.869Z,0 CVE-2023-50783,https://securityvulnerability.io/vulnerability/CVE-2023-50783,"Apache Airflow: Improper access control vulnerability on the ""varimport"" endpoint","Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue",Apache,Apache Airflow,6.5,MEDIUM,0.0007099999929778278,false,,false,false,false,,,false,false,,2023-12-21T10:15:00.000Z,0 CVE-2023-48291,https://securityvulnerability.io/vulnerability/CVE-2023-48291,Apache Airflow: Improper access control to DAG resources,"Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2  Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.",Apache,Apache Airflow,4.3,MEDIUM,0.0010100000072270632,false,,false,false,false,,,false,false,,2023-12-21T10:15:00.000Z,0 CVE-2023-47265,https://securityvulnerability.io/vulnerability/CVE-2023-47265,Apache Airflow: DAG Params alllow to embed unchecked Javascript,"Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows to modify what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users. Users of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability ",Apache,Apache Airflow,5.4,MEDIUM,0.002959999954327941,false,,false,false,false,,,false,false,,2023-12-21T10:15:00.000Z,0 CVE-2023-49920,https://securityvulnerability.io/vulnerability/CVE-2023-49920,Apache Airflow: Missing CSRF protection on DAG/trigger,"Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected",Apache,Apache Airflow,6.5,MEDIUM,0.013890000060200691,false,,false,false,false,,,false,false,,2023-12-21T10:15:00.000Z,0