Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-airflow@1.10.4rc2
Typepypi
Namespace
Nameapache-airflow
Version1.10.4rc2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.2.0
Latest_non_vulnerable_version3.2.0
Affected_by_vulnerabilities
0
url VCID-1963-1kyn-2ban
vulnerability_id VCID-1963-1kyn-2ban
summary 
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. 

Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. 

Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
2
reference_url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
3
reference_url https://github.com/apache/airflow/pull/33413
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33413
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml
5
reference_url https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
reference_id
reference_type
scores
url https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47037
reference_id CVE-2023-47037
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-47037
7
reference_url https://github.com/advisories/GHSA-hm9r-7f84-25c9
reference_id GHSA-hm9r-7f84-25c9
reference_type
scores
url https://github.com/advisories/GHSA-hm9r-7f84-25c9
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.3
purl pkg:pypi/apache-airflow@2.7.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-4u8d-ezsr-sqcz
2
vulnerability VCID-82p8-yujf-hkdd
3
vulnerability VCID-8m3p-yzr8-yyhj
4
vulnerability VCID-arbk-dryb-qkda
5
vulnerability VCID-cxqa-pqca-pqgc
6
vulnerability VCID-hpf3-3z3m-6ydt
7
vulnerability VCID-j6uh-kx6m-sydp
8
vulnerability VCID-kb4a-mm13-63bj
9
vulnerability VCID-mbgq-fq5n-kufh
10
vulnerability VCID-nfbc-tutd-37bw
11
vulnerability VCID-rysu-xhvt-yqda
12
vulnerability VCID-tpjn-4kru-vucv
13
vulnerability VCID-unq1-wwfg-6ydk
14
vulnerability VCID-vras-f42j-xqfg
15
vulnerability VCID-w8ff-8479-rbfq
16
vulnerability VCID-xwza-guvs-83a9
17
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3
aliases CVE-2023-47037, GHSA-hm9r-7f84-25c9, PYSEC-2023-232
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1963-1kyn-2ban
1
url VCID-1azm-hsvr-f3e8
vulnerability_id VCID-1azm-hsvr-f3e8
summary 
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.

This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/29500
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/29500
2
reference_url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
reference_id CVE-2023-25693
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
4
reference_url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
reference_id GHSA-j69x-v4wc-3fpf
reference_type
scores
url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.1
purl pkg:pypi/apache-airflow@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4fjp-pn9s-tyhz
1
vulnerability VCID-9x6r-5m59-yyap
2
vulnerability VCID-bv7f-s53t-uqe4
3
vulnerability VCID-g8pv-cam5-d7dj
4
vulnerability VCID-j6uh-kx6m-sydp
5
vulnerability VCID-kmz1-dm9f-d7hj
6
vulnerability VCID-m3ff-jty5-3uhw
7
vulnerability VCID-nrc9-bdc2-dfes
8
vulnerability VCID-nrgz-jdnp-kyet
9
vulnerability VCID-pvh4-3wng-ekdq
10
vulnerability VCID-tj2m-5j3f-5ueq
11
vulnerability VCID-tpjn-4kru-vucv
12
vulnerability VCID-vras-f42j-xqfg
13
vulnerability VCID-vwv4-7y7y-9fcj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1
aliases CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1azm-hsvr-f3e8
2
url VCID-1ptn-xvsy-d3hu
vulnerability_id VCID-1ptn-xvsy-d3hu
summary Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315
2
reference_url https://github.com/apache/airflow/pull/32060
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32060
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml
4
reference_url https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4
reference_id
reference_type
scores
url https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36543
reference_id CVE-2023-36543
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-36543
6
reference_url https://github.com/advisories/GHSA-3h4m-m55v-gx4m
reference_id GHSA-3h4m-m55v-gx4m
reference_type
scores
url https://github.com/advisories/GHSA-3h4m-m55v-gx4m
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-vj7z-pmk3-cydg
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
26
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-36543, GHSA-3h4m-m55v-gx4m, PYSEC-2023-106
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1ptn-xvsy-d3hu
3
url VCID-2q7x-bua5-37h7
vulnerability_id VCID-2q7x-bua5-37h7
summary 
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).

With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.

Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6
2
reference_url https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b
3
reference_url https://github.com/apache/airflow/pull/33347
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/33347
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml
5
reference_url https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj
6
reference_url https://www.openwall.com/lists/oss-security/2023/08/23/1
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://www.openwall.com/lists/oss-security/2023/08/23/1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40273
reference_id CVE-2023-40273
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40273
8
reference_url https://github.com/advisories/GHSA-pm87-24wq-r8w9
reference_id GHSA-pm87-24wq-r8w9
reference_type
scores
url https://github.com/advisories/GHSA-pm87-24wq-r8w9
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.0rc2
purl pkg:pypi/apache-airflow@2.7.0rc2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-vj7z-pmk3-cydg
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
26
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0rc2
1
url pkg:pypi/apache-airflow@2.7.1rc1
purl pkg:pypi/apache-airflow@2.7.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-4u8d-ezsr-sqcz
3
vulnerability VCID-63fw-ggbk-9ycy
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-unq1-wwfg-6ydk
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1
aliases CVE-2023-40273, GHSA-pm87-24wq-r8w9, PYSEC-2023-158
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2q7x-bua5-37h7
4
url VCID-2xpf-ut63-tbcx
vulnerability_id VCID-2xpf-ut63-tbcx
summary In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-13944
reference_id
reference_type
scores
0
value 0.17227
scoring_system epss
scoring_elements 0.95139
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-13944
1
reference_url https://github.com/advisories/GHSA-4pwq-fj89-6rjc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-4pwq-fj89-6rjc
2
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
3
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
4
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
5
reference_url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
6
reference_url https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
9
reference_url http://www.openwall.com/lists/oss-security/2020/12/11/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/12/11/2
10
reference_url http://www.openwall.com/lists/oss-security/2021/05/01/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/05/01/2
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.12
purl pkg:pypi/apache-airflow@1.10.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5j9w-1tng-k3ac
9
vulnerability VCID-5ph5-s3qc-guf4
10
vulnerability VCID-5ufe-1rrj-rkgp
11
vulnerability VCID-6hxm-nnhg-buex
12
vulnerability VCID-7z8j-8f4d-53dm
13
vulnerability VCID-82p8-yujf-hkdd
14
vulnerability VCID-8m3p-yzr8-yyhj
15
vulnerability VCID-8npr-rvfd-jkfj
16
vulnerability VCID-8ykk-1kak-6bfd
17
vulnerability VCID-9f34-2r5y-sydz
18
vulnerability VCID-arbk-dryb-qkda
19
vulnerability VCID-bn9u-brjp-yudy
20
vulnerability VCID-ctd9-hxfn-8fcs
21
vulnerability VCID-d3kc-fn21-xqar
22
vulnerability VCID-dk1y-938p-k3bv
23
vulnerability VCID-e19b-adrm-x7fu
24
vulnerability VCID-fctg-457f-4uae
25
vulnerability VCID-fnsx-gtgn-27dr
26
vulnerability VCID-gbgf-jfzt-tqg1
27
vulnerability VCID-gg94-fdbv-y7g1
28
vulnerability VCID-gt7b-5554-y7dq
29
vulnerability VCID-hgq2-kuex-y3a3
30
vulnerability VCID-hpf3-3z3m-6ydt
31
vulnerability VCID-j6uh-kx6m-sydp
32
vulnerability VCID-jrwf-mt69-1ydt
33
vulnerability VCID-kb4a-mm13-63bj
34
vulnerability VCID-kgfb-yphg-n3ec
35
vulnerability VCID-ms13-tzaa-hkej
36
vulnerability VCID-nfbc-tutd-37bw
37
vulnerability VCID-p42d-ta7v-7yhn
38
vulnerability VCID-pb3b-22wk-pbh5
39
vulnerability VCID-pmtw-nwnc-nyfw
40
vulnerability VCID-pqgj-ry81-6ua3
41
vulnerability VCID-qxnw-7urw-fud2
42
vulnerability VCID-rysu-xhvt-yqda
43
vulnerability VCID-s49h-br5r-5yh8
44
vulnerability VCID-ssbp-gvfd-2kef
45
vulnerability VCID-tcjg-f9cn-mubj
46
vulnerability VCID-tpjn-4kru-vucv
47
vulnerability VCID-vj7z-pmk3-cydg
48
vulnerability VCID-vras-f42j-xqfg
49
vulnerability VCID-vy44-rbar-w3fn
50
vulnerability VCID-w8ff-8479-rbfq
51
vulnerability VCID-xwza-guvs-83a9
52
vulnerability VCID-ygjc-77t9-yfge
53
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.12
aliases CVE-2020-13944, GHSA-4pwq-fj89-6rjc, PYSEC-2020-19
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xpf-ut63-tbcx
5
url VCID-37nw-x186-puds
vulnerability_id VCID-37nw-x186-puds
summary If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.
references
0
reference_url https://github.com/advisories/GHSA-m6h2-jx9v-58w6
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-m6h2-jx9v-58w6
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/27265516d2b897585f5019ecd820cfe5471fd351
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/27265516d2b897585f5019ecd820cfe5471fd351
3
reference_url https://github.com/apache/airflow/commit/7a5bb88ad78d600fbb1676a55752597928115bd8
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/7a5bb88ad78d600fbb1676a55752597928115bd8
4
reference_url https://github.com/apache/airflow/commit/d772f38f843b9add5319a01cf51a844145b01f63
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d772f38f843b9add5319a01cf51a844145b01f63
5
reference_url https://github.com/apache/airflow/compare/2.1.1...2.1.2
reference_id
reference_type
scores
url https://github.com/apache/airflow/compare/2.1.1...2.1.2
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-122.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-122.yaml
7
reference_url https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-35936
reference_id CVE-2021-35936
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-35936
fixed_packages
0
url pkg:pypi/apache-airflow@2.1.2
purl pkg:pypi/apache-airflow@2.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-5ufe-1rrj-rkgp
9
vulnerability VCID-6hxm-nnhg-buex
10
vulnerability VCID-7z8j-8f4d-53dm
11
vulnerability VCID-82p8-yujf-hkdd
12
vulnerability VCID-8m3p-yzr8-yyhj
13
vulnerability VCID-8npr-rvfd-jkfj
14
vulnerability VCID-8ykk-1kak-6bfd
15
vulnerability VCID-arbk-dryb-qkda
16
vulnerability VCID-ctd9-hxfn-8fcs
17
vulnerability VCID-d3kc-fn21-xqar
18
vulnerability VCID-dk1y-938p-k3bv
19
vulnerability VCID-e19b-adrm-x7fu
20
vulnerability VCID-fctg-457f-4uae
21
vulnerability VCID-fnsx-gtgn-27dr
22
vulnerability VCID-gbgf-jfzt-tqg1
23
vulnerability VCID-gg94-fdbv-y7g1
24
vulnerability VCID-hgq2-kuex-y3a3
25
vulnerability VCID-hpf3-3z3m-6ydt
26
vulnerability VCID-j6uh-kx6m-sydp
27
vulnerability VCID-jrwf-mt69-1ydt
28
vulnerability VCID-kb4a-mm13-63bj
29
vulnerability VCID-kgfb-yphg-n3ec
30
vulnerability VCID-kjw8-c6cn-3kee
31
vulnerability VCID-nfbc-tutd-37bw
32
vulnerability VCID-p42d-ta7v-7yhn
33
vulnerability VCID-pb3b-22wk-pbh5
34
vulnerability VCID-pmtw-nwnc-nyfw
35
vulnerability VCID-pqgj-ry81-6ua3
36
vulnerability VCID-qxnw-7urw-fud2
37
vulnerability VCID-rysu-xhvt-yqda
38
vulnerability VCID-s49h-br5r-5yh8
39
vulnerability VCID-tpjn-4kru-vucv
40
vulnerability VCID-vj7z-pmk3-cydg
41
vulnerability VCID-vras-f42j-xqfg
42
vulnerability VCID-vy44-rbar-w3fn
43
vulnerability VCID-w8ff-8479-rbfq
44
vulnerability VCID-xwza-guvs-83a9
45
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.1.2
aliases CVE-2021-35936, GHSA-m6h2-jx9v-58w6, PYSEC-2021-122
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-37nw-x186-puds
6
url VCID-4693-xwwu-7uem
vulnerability_id VCID-4693-xwwu-7uem
summary Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951
2
reference_url https://github.com/apache/airflow/pull/29501
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/29501
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml
4
reference_url https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2
reference_id
reference_type
scores
url https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25695
reference_id CVE-2023-25695
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25695
6
reference_url https://github.com/advisories/GHSA-h6g5-wqqr-3mw3
reference_id GHSA-h6g5-wqqr-3mw3
reference_type
scores
url https://github.com/advisories/GHSA-h6g5-wqqr-3mw3
fixed_packages
0
url pkg:pypi/apache-airflow@2.5.2rc1
purl pkg:pypi/apache-airflow@2.5.2rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-1tvn-y85f-jkb9
4
vulnerability VCID-2q7x-bua5-37h7
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-d3kc-fn21-xqar
15
vulnerability VCID-dk1y-938p-k3bv
16
vulnerability VCID-fctg-457f-4uae
17
vulnerability VCID-hgq2-kuex-y3a3
18
vulnerability VCID-hpf3-3z3m-6ydt
19
vulnerability VCID-j6uh-kx6m-sydp
20
vulnerability VCID-kb4a-mm13-63bj
21
vulnerability VCID-kgfb-yphg-n3ec
22
vulnerability VCID-mbgq-fq5n-kufh
23
vulnerability VCID-nfbc-tutd-37bw
24
vulnerability VCID-pb3b-22wk-pbh5
25
vulnerability VCID-pmtw-nwnc-nyfw
26
vulnerability VCID-rysu-xhvt-yqda
27
vulnerability VCID-s49h-br5r-5yh8
28
vulnerability VCID-tpjn-4kru-vucv
29
vulnerability VCID-vj7z-pmk3-cydg
30
vulnerability VCID-vras-f42j-xqfg
31
vulnerability VCID-vy44-rbar-w3fn
32
vulnerability VCID-w8ff-8479-rbfq
33
vulnerability VCID-xwza-guvs-83a9
34
vulnerability VCID-yrx8-dtav-83av
35
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2rc1
1
url pkg:pypi/apache-airflow@2.5.2
purl pkg:pypi/apache-airflow@2.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-1tvn-y85f-jkb9
4
vulnerability VCID-2q7x-bua5-37h7
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-7z8j-8f4d-53dm
8
vulnerability VCID-82p8-yujf-hkdd
9
vulnerability VCID-8m3p-yzr8-yyhj
10
vulnerability VCID-8npr-rvfd-jkfj
11
vulnerability VCID-8ykk-1kak-6bfd
12
vulnerability VCID-arbk-dryb-qkda
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-kgfb-yphg-n3ec
21
vulnerability VCID-mbgq-fq5n-kufh
22
vulnerability VCID-nfbc-tutd-37bw
23
vulnerability VCID-pb3b-22wk-pbh5
24
vulnerability VCID-pmtw-nwnc-nyfw
25
vulnerability VCID-rysu-xhvt-yqda
26
vulnerability VCID-s49h-br5r-5yh8
27
vulnerability VCID-tpjn-4kru-vucv
28
vulnerability VCID-vj7z-pmk3-cydg
29
vulnerability VCID-vras-f42j-xqfg
30
vulnerability VCID-vy44-rbar-w3fn
31
vulnerability VCID-w8ff-8479-rbfq
32
vulnerability VCID-xwza-guvs-83a9
33
vulnerability VCID-yrx8-dtav-83av
34
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2
aliases CVE-2023-25695, GHSA-h6g5-wqqr-3mw3, PYSEC-2023-2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4693-xwwu-7uem
7
url VCID-4btd-59ga-1yd4
vulnerability_id VCID-4btd-59ga-1yd4
summary Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75
2
reference_url https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e
3
reference_url https://github.com/apache/airflow/pull/30447
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/30447
4
reference_url https://github.com/apache/airflow/pull/30779
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/30779
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml
6
reference_url https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl
reference_id
reference_type
scores
url https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29247
reference_id CVE-2023-29247
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-29247
8
reference_url https://github.com/advisories/GHSA-vcf6-3wv2-5vcr
reference_id GHSA-vcf6-3wv2-5vcr
reference_type
scores
url https://github.com/advisories/GHSA-vcf6-3wv2-5vcr
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.0
purl pkg:pypi/apache-airflow@2.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-1tvn-y85f-jkb9
4
vulnerability VCID-2q7x-bua5-37h7
5
vulnerability VCID-4u8d-ezsr-sqcz
6
vulnerability VCID-7z8j-8f4d-53dm
7
vulnerability VCID-82p8-yujf-hkdd
8
vulnerability VCID-8m3p-yzr8-yyhj
9
vulnerability VCID-8npr-rvfd-jkfj
10
vulnerability VCID-8ykk-1kak-6bfd
11
vulnerability VCID-arbk-dryb-qkda
12
vulnerability VCID-cxqa-pqca-pqgc
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-mbgq-fq5n-kufh
21
vulnerability VCID-nfbc-tutd-37bw
22
vulnerability VCID-pmtw-nwnc-nyfw
23
vulnerability VCID-rysu-xhvt-yqda
24
vulnerability VCID-s49h-br5r-5yh8
25
vulnerability VCID-tpjn-4kru-vucv
26
vulnerability VCID-vj7z-pmk3-cydg
27
vulnerability VCID-vras-f42j-xqfg
28
vulnerability VCID-vy44-rbar-w3fn
29
vulnerability VCID-w8ff-8479-rbfq
30
vulnerability VCID-xwza-guvs-83a9
31
vulnerability VCID-yrx8-dtav-83av
32
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0
aliases CVE-2023-29247, GHSA-vcf6-3wv2-5vcr, PYSEC-2023-60
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4btd-59ga-1yd4
8
url VCID-4u8d-ezsr-sqcz
vulnerability_id VCID-4u8d-ezsr-sqcz
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
2
reference_url https://github.com/apache/airflow/pull/36255
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/36255
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
4
reference_url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
reference_id
reference_type
scores
url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
reference_id CVE-2023-50943
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
6
reference_url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
reference_id GHSA-c3c6-f2ww-xfr2
reference_type
scores
url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-4u8d-ezsr-sqcz
2
vulnerability VCID-82p8-yujf-hkdd
3
vulnerability VCID-8m3p-yzr8-yyhj
4
vulnerability VCID-arbk-dryb-qkda
5
vulnerability VCID-hpf3-3z3m-6ydt
6
vulnerability VCID-j6uh-kx6m-sydp
7
vulnerability VCID-k4r8-a72h-fkdf
8
vulnerability VCID-kb4a-mm13-63bj
9
vulnerability VCID-mbgq-fq5n-kufh
10
vulnerability VCID-tpjn-4kru-vucv
11
vulnerability VCID-vras-f42j-xqfg
12
vulnerability VCID-w8ff-8479-rbfq
13
vulnerability VCID-xwza-guvs-83a9
14
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-8m3p-yzr8-yyhj
2
vulnerability VCID-arbk-dryb-qkda
3
vulnerability VCID-hpf3-3z3m-6ydt
4
vulnerability VCID-j6uh-kx6m-sydp
5
vulnerability VCID-k4r8-a72h-fkdf
6
vulnerability VCID-kb4a-mm13-63bj
7
vulnerability VCID-mbgq-fq5n-kufh
8
vulnerability VCID-tpjn-4kru-vucv
9
vulnerability VCID-vras-f42j-xqfg
10
vulnerability VCID-w8ff-8479-rbfq
11
vulnerability VCID-xwza-guvs-83a9
12
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50943, GHSA-c3c6-f2ww-xfr2, PYSEC-2024-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4u8d-ezsr-sqcz
9
url VCID-5j9w-1tng-k3ac
vulnerability_id VCID-5j9w-1tng-k3ac
summary In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-17513
reference_id
reference_type
scores
0
value 0.02135
scoring_system epss
scoring_elements 0.84475
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-17513
1
reference_url https://github.com/advisories/GHSA-6r3p-fcvm-xh7c
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-6r3p-fcvm-xh7c
2
reference_url https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.13
purl pkg:pypi/apache-airflow@1.10.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-9f34-2r5y-sydz
17
vulnerability VCID-arbk-dryb-qkda
18
vulnerability VCID-bn9u-brjp-yudy
19
vulnerability VCID-ctd9-hxfn-8fcs
20
vulnerability VCID-d3kc-fn21-xqar
21
vulnerability VCID-dk1y-938p-k3bv
22
vulnerability VCID-e19b-adrm-x7fu
23
vulnerability VCID-fctg-457f-4uae
24
vulnerability VCID-fnsx-gtgn-27dr
25
vulnerability VCID-gbgf-jfzt-tqg1
26
vulnerability VCID-gg94-fdbv-y7g1
27
vulnerability VCID-gt7b-5554-y7dq
28
vulnerability VCID-hgq2-kuex-y3a3
29
vulnerability VCID-hpf3-3z3m-6ydt
30
vulnerability VCID-j6uh-kx6m-sydp
31
vulnerability VCID-jrwf-mt69-1ydt
32
vulnerability VCID-kb4a-mm13-63bj
33
vulnerability VCID-kgfb-yphg-n3ec
34
vulnerability VCID-ms13-tzaa-hkej
35
vulnerability VCID-nfbc-tutd-37bw
36
vulnerability VCID-p42d-ta7v-7yhn
37
vulnerability VCID-pb3b-22wk-pbh5
38
vulnerability VCID-pmtw-nwnc-nyfw
39
vulnerability VCID-pqgj-ry81-6ua3
40
vulnerability VCID-qxnw-7urw-fud2
41
vulnerability VCID-rysu-xhvt-yqda
42
vulnerability VCID-s49h-br5r-5yh8
43
vulnerability VCID-ssbp-gvfd-2kef
44
vulnerability VCID-tpjn-4kru-vucv
45
vulnerability VCID-vj7z-pmk3-cydg
46
vulnerability VCID-vras-f42j-xqfg
47
vulnerability VCID-vy44-rbar-w3fn
48
vulnerability VCID-w8ff-8479-rbfq
49
vulnerability VCID-xwza-guvs-83a9
50
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13
aliases CVE-2020-17513, GHSA-6r3p-fcvm-xh7c, PYSEC-2020-20
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5j9w-1tng-k3ac
10
url VCID-5ph5-s3qc-guf4
vulnerability_id VCID-5ph5-s3qc-guf4
summary 
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.

Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.
This issue affects Apache Airflow Drill Provider: before 2.4.3.
It is recommended to upgrade to a version that is not affected.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110
2
reference_url https://github.com/apache/airflow/pull/33074
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33074
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml
4
reference_url https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf
reference_id
reference_type
scores
url https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf
5
reference_url https://www.openwall.com/lists/oss-security/2023/08/11/1
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/08/11/1
6
reference_url http://www.openwall.com/lists/oss-security/2023/08/11/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2023/08/11/1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-39553
reference_id CVE-2023-39553
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-39553
8
reference_url https://github.com/advisories/GHSA-mq4v-6vg4-796c
reference_id GHSA-mq4v-6vg4-796c
reference_type
scores
url https://github.com/advisories/GHSA-mq4v-6vg4-796c
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.3
purl pkg:pypi/apache-airflow@2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-7z8j-8f4d-53dm
8
vulnerability VCID-82p8-yujf-hkdd
9
vulnerability VCID-8m3p-yzr8-yyhj
10
vulnerability VCID-8npr-rvfd-jkfj
11
vulnerability VCID-8ykk-1kak-6bfd
12
vulnerability VCID-arbk-dryb-qkda
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-kgfb-yphg-n3ec
21
vulnerability VCID-mbgq-fq5n-kufh
22
vulnerability VCID-nfbc-tutd-37bw
23
vulnerability VCID-pb3b-22wk-pbh5
24
vulnerability VCID-pmtw-nwnc-nyfw
25
vulnerability VCID-rysu-xhvt-yqda
26
vulnerability VCID-s49h-br5r-5yh8
27
vulnerability VCID-tpjn-4kru-vucv
28
vulnerability VCID-vj7z-pmk3-cydg
29
vulnerability VCID-vras-f42j-xqfg
30
vulnerability VCID-vy44-rbar-w3fn
31
vulnerability VCID-w8ff-8479-rbfq
32
vulnerability VCID-xwza-guvs-83a9
33
vulnerability VCID-yrx8-dtav-83av
34
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3
aliases CVE-2023-39553, GHSA-mq4v-6vg4-796c, PYSEC-2023-136
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5ph5-s3qc-guf4
11
url VCID-5qe8-jdbh-x7b4
vulnerability_id VCID-5qe8-jdbh-x7b4
summary An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-11983
reference_id
reference_type
scores
0
value 0.00411
scoring_system epss
scoring_elements 0.61674
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-11983
1
reference_url https://github.com/advisories/GHSA-q4p3-qw5c-mhpc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-q4p3-qw5c-mhpc
2
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5ufe-1rrj-rkgp
12
vulnerability VCID-6hxm-nnhg-buex
13
vulnerability VCID-7z8j-8f4d-53dm
14
vulnerability VCID-82p8-yujf-hkdd
15
vulnerability VCID-8m3p-yzr8-yyhj
16
vulnerability VCID-8npr-rvfd-jkfj
17
vulnerability VCID-8ykk-1kak-6bfd
18
vulnerability VCID-9f34-2r5y-sydz
19
vulnerability VCID-arbk-dryb-qkda
20
vulnerability VCID-bn9u-brjp-yudy
21
vulnerability VCID-ctd9-hxfn-8fcs
22
vulnerability VCID-d3kc-fn21-xqar
23
vulnerability VCID-dk1y-938p-k3bv
24
vulnerability VCID-e19b-adrm-x7fu
25
vulnerability VCID-fctg-457f-4uae
26
vulnerability VCID-fnsx-gtgn-27dr
27
vulnerability VCID-gbgf-jfzt-tqg1
28
vulnerability VCID-gg94-fdbv-y7g1
29
vulnerability VCID-gt7b-5554-y7dq
30
vulnerability VCID-hgq2-kuex-y3a3
31
vulnerability VCID-hpf3-3z3m-6ydt
32
vulnerability VCID-j6uh-kx6m-sydp
33
vulnerability VCID-jrwf-mt69-1ydt
34
vulnerability VCID-kb4a-mm13-63bj
35
vulnerability VCID-kgfb-yphg-n3ec
36
vulnerability VCID-krjr-ctw4-r3d3
37
vulnerability VCID-ms13-tzaa-hkej
38
vulnerability VCID-nfbc-tutd-37bw
39
vulnerability VCID-p42d-ta7v-7yhn
40
vulnerability VCID-pb3b-22wk-pbh5
41
vulnerability VCID-pmtw-nwnc-nyfw
42
vulnerability VCID-pqgj-ry81-6ua3
43
vulnerability VCID-qxnw-7urw-fud2
44
vulnerability VCID-rysu-xhvt-yqda
45
vulnerability VCID-s49h-br5r-5yh8
46
vulnerability VCID-ssbp-gvfd-2kef
47
vulnerability VCID-tcjg-f9cn-mubj
48
vulnerability VCID-tpjn-4kru-vucv
49
vulnerability VCID-vj7z-pmk3-cydg
50
vulnerability VCID-vras-f42j-xqfg
51
vulnerability VCID-vy44-rbar-w3fn
52
vulnerability VCID-w8ff-8479-rbfq
53
vulnerability VCID-xwza-guvs-83a9
54
vulnerability VCID-ygjc-77t9-yfge
55
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
aliases CVE-2020-11983, GHSA-q4p3-qw5c-mhpc, PYSEC-2020-17
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5qe8-jdbh-x7b4
12
url VCID-5ufe-1rrj-rkgp
vulnerability_id VCID-5ufe-1rrj-rkgp
summary A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.
references
0
reference_url https://github.com/apache/airflow/pull/22754
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/22754
1
reference_url https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
reference_id
reference_type
scores
url https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
2
reference_url http://www.openwall.com/lists/oss-security/2022/11/14/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/11/14/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.3.1
purl pkg:pypi/apache-airflow@2.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-ctd9-hxfn-8fcs
15
vulnerability VCID-d3kc-fn21-xqar
16
vulnerability VCID-dk1y-938p-k3bv
17
vulnerability VCID-e19b-adrm-x7fu
18
vulnerability VCID-fctg-457f-4uae
19
vulnerability VCID-fnsx-gtgn-27dr
20
vulnerability VCID-fut9-4dat-qbfy
21
vulnerability VCID-gg94-fdbv-y7g1
22
vulnerability VCID-hgq2-kuex-y3a3
23
vulnerability VCID-hpf3-3z3m-6ydt
24
vulnerability VCID-j6uh-kx6m-sydp
25
vulnerability VCID-k7ea-m9cw-w3fz
26
vulnerability VCID-kb4a-mm13-63bj
27
vulnerability VCID-kgfb-yphg-n3ec
28
vulnerability VCID-nfbc-tutd-37bw
29
vulnerability VCID-p42d-ta7v-7yhn
30
vulnerability VCID-pb3b-22wk-pbh5
31
vulnerability VCID-pmtw-nwnc-nyfw
32
vulnerability VCID-pqgj-ry81-6ua3
33
vulnerability VCID-qxnw-7urw-fud2
34
vulnerability VCID-rysu-xhvt-yqda
35
vulnerability VCID-s49h-br5r-5yh8
36
vulnerability VCID-swav-nrrn-wbcs
37
vulnerability VCID-tpjn-4kru-vucv
38
vulnerability VCID-vj7z-pmk3-cydg
39
vulnerability VCID-vras-f42j-xqfg
40
vulnerability VCID-vy44-rbar-w3fn
41
vulnerability VCID-w8ff-8479-rbfq
42
vulnerability VCID-xwza-guvs-83a9
43
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.1
aliases CVE-2022-27949, PYSEC-2022-42981
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5ufe-1rrj-rkgp
13
url VCID-6hxm-nnhg-buex
vulnerability_id VCID-6hxm-nnhg-buex
summary In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
references
0
reference_url https://github.com/advisories/GHSA-3v7g-4pg3-7r6j
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-3v7g-4pg3-7r6j
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml
3
reference_url https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t
reference_id
reference_type
scores
url https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24288
reference_id CVE-2022-24288
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-24288
fixed_packages
0
url pkg:pypi/apache-airflow@2.2.4
purl pkg:pypi/apache-airflow@2.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-5ufe-1rrj-rkgp
9
vulnerability VCID-7z8j-8f4d-53dm
10
vulnerability VCID-82p8-yujf-hkdd
11
vulnerability VCID-8m3p-yzr8-yyhj
12
vulnerability VCID-8npr-rvfd-jkfj
13
vulnerability VCID-8ykk-1kak-6bfd
14
vulnerability VCID-arbk-dryb-qkda
15
vulnerability VCID-ctd9-hxfn-8fcs
16
vulnerability VCID-d3kc-fn21-xqar
17
vulnerability VCID-dk1y-938p-k3bv
18
vulnerability VCID-e19b-adrm-x7fu
19
vulnerability VCID-fctg-457f-4uae
20
vulnerability VCID-fnsx-gtgn-27dr
21
vulnerability VCID-fut9-4dat-qbfy
22
vulnerability VCID-gg94-fdbv-y7g1
23
vulnerability VCID-hgq2-kuex-y3a3
24
vulnerability VCID-hpf3-3z3m-6ydt
25
vulnerability VCID-j6uh-kx6m-sydp
26
vulnerability VCID-kb4a-mm13-63bj
27
vulnerability VCID-kgfb-yphg-n3ec
28
vulnerability VCID-nfbc-tutd-37bw
29
vulnerability VCID-p42d-ta7v-7yhn
30
vulnerability VCID-pb3b-22wk-pbh5
31
vulnerability VCID-pmtw-nwnc-nyfw
32
vulnerability VCID-pqgj-ry81-6ua3
33
vulnerability VCID-qxnw-7urw-fud2
34
vulnerability VCID-rysu-xhvt-yqda
35
vulnerability VCID-s49h-br5r-5yh8
36
vulnerability VCID-tpjn-4kru-vucv
37
vulnerability VCID-vj7z-pmk3-cydg
38
vulnerability VCID-vras-f42j-xqfg
39
vulnerability VCID-vy44-rbar-w3fn
40
vulnerability VCID-w8ff-8479-rbfq
41
vulnerability VCID-xwza-guvs-83a9
42
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4
aliases CVE-2022-24288, GHSA-3v7g-4pg3-7r6j, PYSEC-2022-30
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6hxm-nnhg-buex
14
url VCID-7z8j-8f4d-53dm
vulnerability_id VCID-7z8j-8f4d-53dm
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8
2
reference_url https://github.com/apache/airflow/pull/32309
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32309
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml
4
reference_url https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
reference_id
reference_type
scores
url https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-46651
reference_id CVE-2022-46651
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-46651
6
reference_url https://github.com/advisories/GHSA-xvw9-3mhm-xjqq
reference_id GHSA-xvw9-3mhm-xjqq
reference_type
scores
url https://github.com/advisories/GHSA-xvw9-3mhm-xjqq
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-vj7z-pmk3-cydg
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
26
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2022-46651, GHSA-xvw9-3mhm-xjqq, PYSEC-2023-103
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7z8j-8f4d-53dm
15
url VCID-82p8-yujf-hkdd
vulnerability_id VCID-82p8-yujf-hkdd
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
2
reference_url https://github.com/apache/airflow/pull/36257
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/36257
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
4
reference_url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
reference_id
reference_type
scores
url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
reference_id CVE-2023-50944
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
6
reference_url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
reference_id GHSA-vm5m-qmrx-fw8w
reference_type
scores
url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-4u8d-ezsr-sqcz
2
vulnerability VCID-82p8-yujf-hkdd
3
vulnerability VCID-8m3p-yzr8-yyhj
4
vulnerability VCID-arbk-dryb-qkda
5
vulnerability VCID-hpf3-3z3m-6ydt
6
vulnerability VCID-j6uh-kx6m-sydp
7
vulnerability VCID-k4r8-a72h-fkdf
8
vulnerability VCID-kb4a-mm13-63bj
9
vulnerability VCID-mbgq-fq5n-kufh
10
vulnerability VCID-tpjn-4kru-vucv
11
vulnerability VCID-vras-f42j-xqfg
12
vulnerability VCID-w8ff-8479-rbfq
13
vulnerability VCID-xwza-guvs-83a9
14
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-8m3p-yzr8-yyhj
2
vulnerability VCID-arbk-dryb-qkda
3
vulnerability VCID-hpf3-3z3m-6ydt
4
vulnerability VCID-j6uh-kx6m-sydp
5
vulnerability VCID-k4r8-a72h-fkdf
6
vulnerability VCID-kb4a-mm13-63bj
7
vulnerability VCID-mbgq-fq5n-kufh
8
vulnerability VCID-tpjn-4kru-vucv
9
vulnerability VCID-vras-f42j-xqfg
10
vulnerability VCID-w8ff-8479-rbfq
11
vulnerability VCID-xwza-guvs-83a9
12
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50944, GHSA-vm5m-qmrx-fw8w, PYSEC-2024-14
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-82p8-yujf-hkdd
16
url VCID-8m3p-yzr8-yyhj
vulnerability_id VCID-8m3p-yzr8-yyhj
summary 
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/40933
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://github.com/apache/airflow/pull/40933
1
reference_url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
2
reference_url http://www.openwall.com/lists/oss-security/2024/08/21/3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url http://www.openwall.com/lists/oss-security/2024/08/21/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.0
purl pkg:pypi/apache-airflow@2.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-j6uh-kx6m-sydp
2
vulnerability VCID-kb4a-mm13-63bj
3
vulnerability VCID-tpjn-4kru-vucv
4
vulnerability VCID-vras-f42j-xqfg
5
vulnerability VCID-w8ff-8479-rbfq
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0
aliases CVE-2024-41937, PYSEC-2024-181
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8m3p-yzr8-yyhj
17
url VCID-8npr-rvfd-jkfj
vulnerability_id VCID-8npr-rvfd-jkfj
summary 
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.

Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
2
reference_url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
3
reference_url https://github.com/apache/airflow/pull/33413
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33413
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml
5
reference_url https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
reference_id
reference_type
scores
url https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40611
reference_id CVE-2023-40611
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40611
7
reference_url https://github.com/advisories/GHSA-wpg8-mf6h-gm92
reference_id GHSA-wpg8-mf6h-gm92
reference_type
scores
url https://github.com/advisories/GHSA-wpg8-mf6h-gm92
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.1
purl pkg:pypi/apache-airflow@2.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-4u8d-ezsr-sqcz
3
vulnerability VCID-63fw-ggbk-9ycy
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8ykk-1kak-6bfd
7
vulnerability VCID-arbk-dryb-qkda
8
vulnerability VCID-cxqa-pqca-pqgc
9
vulnerability VCID-fctg-457f-4uae
10
vulnerability VCID-hgq2-kuex-y3a3
11
vulnerability VCID-hpf3-3z3m-6ydt
12
vulnerability VCID-j6uh-kx6m-sydp
13
vulnerability VCID-kb4a-mm13-63bj
14
vulnerability VCID-mbgq-fq5n-kufh
15
vulnerability VCID-nfbc-tutd-37bw
16
vulnerability VCID-pmtw-nwnc-nyfw
17
vulnerability VCID-rysu-xhvt-yqda
18
vulnerability VCID-tpjn-4kru-vucv
19
vulnerability VCID-unq1-wwfg-6ydk
20
vulnerability VCID-vras-f42j-xqfg
21
vulnerability VCID-w8ff-8479-rbfq
22
vulnerability VCID-xwza-guvs-83a9
23
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1
aliases CVE-2023-40611, GHSA-wpg8-mf6h-gm92, PYSEC-2023-170
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8npr-rvfd-jkfj
18
url VCID-8ykk-1kak-6bfd
vulnerability_id VCID-8ykk-1kak-6bfd
summary 
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/34355
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/34355
1
reference_url https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42780
reference_id CVE-2023-42780
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42780
3
reference_url https://github.com/advisories/GHSA-cgx2-rrmr-jx43
reference_id GHSA-cgx2-rrmr-jx43
reference_type
scores
url https://github.com/advisories/GHSA-cgx2-rrmr-jx43
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.2
purl pkg:pypi/apache-airflow@2.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-4u8d-ezsr-sqcz
3
vulnerability VCID-82p8-yujf-hkdd
4
vulnerability VCID-8m3p-yzr8-yyhj
5
vulnerability VCID-arbk-dryb-qkda
6
vulnerability VCID-cxqa-pqca-pqgc
7
vulnerability VCID-fctg-457f-4uae
8
vulnerability VCID-hpf3-3z3m-6ydt
9
vulnerability VCID-j6uh-kx6m-sydp
10
vulnerability VCID-kb4a-mm13-63bj
11
vulnerability VCID-mbgq-fq5n-kufh
12
vulnerability VCID-nfbc-tutd-37bw
13
vulnerability VCID-rysu-xhvt-yqda
14
vulnerability VCID-tpjn-4kru-vucv
15
vulnerability VCID-unq1-wwfg-6ydk
16
vulnerability VCID-vras-f42j-xqfg
17
vulnerability VCID-w8ff-8479-rbfq
18
vulnerability VCID-xwza-guvs-83a9
19
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2
aliases CVE-2023-42780, GHSA-cgx2-rrmr-jx43, PYSEC-2023-202
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8ykk-1kak-6bfd
19
url VCID-91ta-vnkv-5ydh
vulnerability_id VCID-91ta-vnkv-5ydh
summary A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-12417
reference_id
reference_type
scores
0
value 0.00745
scoring_system epss
scoring_elements 0.73342
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-12417
1
reference_url https://github.com/advisories/GHSA-q3p4-gw7r-wqjc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-q3p4-gw7r-wqjc
2
reference_url https://lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.6rc1
purl pkg:pypi/apache-airflow@1.10.6rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5qe8-jdbh-x7b4
12
vulnerability VCID-5ufe-1rrj-rkgp
13
vulnerability VCID-6hxm-nnhg-buex
14
vulnerability VCID-7z8j-8f4d-53dm
15
vulnerability VCID-82p8-yujf-hkdd
16
vulnerability VCID-8m3p-yzr8-yyhj
17
vulnerability VCID-8npr-rvfd-jkfj
18
vulnerability VCID-8ykk-1kak-6bfd
19
vulnerability VCID-9f34-2r5y-sydz
20
vulnerability VCID-arbk-dryb-qkda
21
vulnerability VCID-bn9u-brjp-yudy
22
vulnerability VCID-ctd9-hxfn-8fcs
23
vulnerability VCID-d3kc-fn21-xqar
24
vulnerability VCID-dk1y-938p-k3bv
25
vulnerability VCID-dp6s-jdma-a7cc
26
vulnerability VCID-e19b-adrm-x7fu
27
vulnerability VCID-fctg-457f-4uae
28
vulnerability VCID-fnsx-gtgn-27dr
29
vulnerability VCID-gbgf-jfzt-tqg1
30
vulnerability VCID-gg94-fdbv-y7g1
31
vulnerability VCID-gt7b-5554-y7dq
32
vulnerability VCID-hgq2-kuex-y3a3
33
vulnerability VCID-hpf3-3z3m-6ydt
34
vulnerability VCID-j6uh-kx6m-sydp
35
vulnerability VCID-jrwf-mt69-1ydt
36
vulnerability VCID-kb4a-mm13-63bj
37
vulnerability VCID-kgfb-yphg-n3ec
38
vulnerability VCID-krjr-ctw4-r3d3
39
vulnerability VCID-ms13-tzaa-hkej
40
vulnerability VCID-nfbc-tutd-37bw
41
vulnerability VCID-p42d-ta7v-7yhn
42
vulnerability VCID-pb3b-22wk-pbh5
43
vulnerability VCID-pmtw-nwnc-nyfw
44
vulnerability VCID-pqgj-ry81-6ua3
45
vulnerability VCID-qxnw-7urw-fud2
46
vulnerability VCID-rysu-xhvt-yqda
47
vulnerability VCID-s49h-br5r-5yh8
48
vulnerability VCID-ssbp-gvfd-2kef
49
vulnerability VCID-syqv-6kj7-j3e5
50
vulnerability VCID-tcjg-f9cn-mubj
51
vulnerability VCID-tpjn-4kru-vucv
52
vulnerability VCID-vj7z-pmk3-cydg
53
vulnerability VCID-vras-f42j-xqfg
54
vulnerability VCID-vy44-rbar-w3fn
55
vulnerability VCID-w8ff-8479-rbfq
56
vulnerability VCID-xwza-guvs-83a9
57
vulnerability VCID-ygjc-77t9-yfge
58
vulnerability VCID-ykge-bnhg-g7c4
59
vulnerability VCID-yrx8-dtav-83av
60
vulnerability VCID-yz8w-uv1z-5ybw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.6rc1
aliases CVE-2019-12417, GHSA-q3p4-gw7r-wqjc, PYSEC-2019-216
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91ta-vnkv-5ydh
20
url VCID-9f34-2r5y-sydz
vulnerability_id VCID-9f34-2r5y-sydz
summary Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-17526
reference_id
reference_type
scores
0
value 0.91349
scoring_system epss
scoring_elements 0.99674
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-17526
1
reference_url https://github.com/advisories/GHSA-7mx5-x372-xh87
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-7mx5-x372-xh87
2
reference_url https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
3
reference_url http://www.openwall.com/lists/oss-security/2020/12/21/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/12/21/1
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.14
purl pkg:pypi/apache-airflow@1.10.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-arbk-dryb-qkda
17
vulnerability VCID-bn9u-brjp-yudy
18
vulnerability VCID-ctd9-hxfn-8fcs
19
vulnerability VCID-d3kc-fn21-xqar
20
vulnerability VCID-dk1y-938p-k3bv
21
vulnerability VCID-e19b-adrm-x7fu
22
vulnerability VCID-fctg-457f-4uae
23
vulnerability VCID-fnsx-gtgn-27dr
24
vulnerability VCID-gbgf-jfzt-tqg1
25
vulnerability VCID-gg94-fdbv-y7g1
26
vulnerability VCID-gt7b-5554-y7dq
27
vulnerability VCID-hgq2-kuex-y3a3
28
vulnerability VCID-hpf3-3z3m-6ydt
29
vulnerability VCID-j6uh-kx6m-sydp
30
vulnerability VCID-jrwf-mt69-1ydt
31
vulnerability VCID-kb4a-mm13-63bj
32
vulnerability VCID-kgfb-yphg-n3ec
33
vulnerability VCID-ms13-tzaa-hkej
34
vulnerability VCID-nfbc-tutd-37bw
35
vulnerability VCID-p42d-ta7v-7yhn
36
vulnerability VCID-pb3b-22wk-pbh5
37
vulnerability VCID-pmtw-nwnc-nyfw
38
vulnerability VCID-pqgj-ry81-6ua3
39
vulnerability VCID-qxnw-7urw-fud2
40
vulnerability VCID-rysu-xhvt-yqda
41
vulnerability VCID-s49h-br5r-5yh8
42
vulnerability VCID-ssbp-gvfd-2kef
43
vulnerability VCID-tpjn-4kru-vucv
44
vulnerability VCID-vj7z-pmk3-cydg
45
vulnerability VCID-vras-f42j-xqfg
46
vulnerability VCID-vy44-rbar-w3fn
47
vulnerability VCID-w8ff-8479-rbfq
48
vulnerability VCID-xwza-guvs-83a9
49
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.14
aliases CVE-2020-17526, GHSA-7mx5-x372-xh87, PYSEC-2020-22
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9f34-2r5y-sydz
21
url VCID-arbk-dryb-qkda
vulnerability_id VCID-arbk-dryb-qkda
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
2
reference_url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
3
reference_url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
4
reference_url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
5
reference_url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
6
reference_url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
7
reference_url https://github.com/apache/airflow/pull/37501
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37501
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
9
reference_url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
reference_id
reference_type
scores
url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
reference_id CVE-2024-26280
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
11
reference_url https://github.com/advisories/GHSA-6xwf-xvf3-v459
reference_id GHSA-6xwf-xvf3-v459
reference_type
scores
url https://github.com/advisories/GHSA-6xwf-xvf3-v459
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-8m3p-yzr8-yyhj
2
vulnerability VCID-974g-7wsa-dqd7
3
vulnerability VCID-hpf3-3z3m-6ydt
4
vulnerability VCID-j6uh-kx6m-sydp
5
vulnerability VCID-k4r8-a72h-fkdf
6
vulnerability VCID-kb4a-mm13-63bj
7
vulnerability VCID-mbgq-fq5n-kufh
8
vulnerability VCID-tpjn-4kru-vucv
9
vulnerability VCID-vras-f42j-xqfg
10
vulnerability VCID-w8ff-8479-rbfq
11
vulnerability VCID-xwza-guvs-83a9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-26280, GHSA-6xwf-xvf3-v459, PYSEC-2024-42
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-arbk-dryb-qkda
22
url VCID-bn9u-brjp-yudy
vulnerability_id VCID-bn9u-brjp-yudy
summary 
Edge3 Worker RPC RCE on Airflow 2.

This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2.



The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do.

If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2.

If you used Edge Provider in Airflow 3, you are not affected.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/59143
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/59143
2
reference_url https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs
3
reference_url http://www.openwall.com/lists/oss-security/2025/12/16/3
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url http://www.openwall.com/lists/oss-security/2025/12/16/3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67895
reference_id CVE-2025-67895
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-67895
5
reference_url https://github.com/advisories/GHSA-66h8-3g48-6hx8
reference_id GHSA-66h8-3g48-6hx8
reference_type
scores
url https://github.com/advisories/GHSA-66h8-3g48-6hx8
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.0
purl pkg:pypi/apache-airflow@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-arbk-dryb-qkda
17
vulnerability VCID-ctd9-hxfn-8fcs
18
vulnerability VCID-d3kc-fn21-xqar
19
vulnerability VCID-dk1y-938p-k3bv
20
vulnerability VCID-e19b-adrm-x7fu
21
vulnerability VCID-fctg-457f-4uae
22
vulnerability VCID-fnsx-gtgn-27dr
23
vulnerability VCID-gbgf-jfzt-tqg1
24
vulnerability VCID-gg94-fdbv-y7g1
25
vulnerability VCID-gt7b-5554-y7dq
26
vulnerability VCID-hgq2-kuex-y3a3
27
vulnerability VCID-hpf3-3z3m-6ydt
28
vulnerability VCID-j6uh-kx6m-sydp
29
vulnerability VCID-jrwf-mt69-1ydt
30
vulnerability VCID-kb4a-mm13-63bj
31
vulnerability VCID-kgfb-yphg-n3ec
32
vulnerability VCID-kjw8-c6cn-3kee
33
vulnerability VCID-ms13-tzaa-hkej
34
vulnerability VCID-nfbc-tutd-37bw
35
vulnerability VCID-p42d-ta7v-7yhn
36
vulnerability VCID-pb3b-22wk-pbh5
37
vulnerability VCID-pmtw-nwnc-nyfw
38
vulnerability VCID-pqgj-ry81-6ua3
39
vulnerability VCID-qxnw-7urw-fud2
40
vulnerability VCID-rysu-xhvt-yqda
41
vulnerability VCID-s49h-br5r-5yh8
42
vulnerability VCID-ssbp-gvfd-2kef
43
vulnerability VCID-tpjn-4kru-vucv
44
vulnerability VCID-vj7z-pmk3-cydg
45
vulnerability VCID-vras-f42j-xqfg
46
vulnerability VCID-vy44-rbar-w3fn
47
vulnerability VCID-w8ff-8479-rbfq
48
vulnerability VCID-xwza-guvs-83a9
49
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.0
aliases CVE-2025-67895, GHSA-66h8-3g48-6hx8, PYSEC-2025-87
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bn9u-brjp-yudy
23
url VCID-bxw8-918z-1be5
vulnerability_id VCID-bxw8-918z-1be5
summary In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-12398
reference_id
reference_type
scores
0
value 0.00608
scoring_system epss
scoring_elements 0.70049
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-12398
1
reference_url https://github.com/advisories/GHSA-rjvg-q57v-mjjc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-rjvg-q57v-mjjc
2
reference_url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b@%3Cdev.airflow.apache.org%3E
3
reference_url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
4
reference_url http://www.openwall.com/lists/oss-security/2020/01/14/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/01/14/2
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.5
purl pkg:pypi/apache-airflow@1.10.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5qe8-jdbh-x7b4
12
vulnerability VCID-5ufe-1rrj-rkgp
13
vulnerability VCID-6hxm-nnhg-buex
14
vulnerability VCID-7z8j-8f4d-53dm
15
vulnerability VCID-82p8-yujf-hkdd
16
vulnerability VCID-8m3p-yzr8-yyhj
17
vulnerability VCID-8npr-rvfd-jkfj
18
vulnerability VCID-8ykk-1kak-6bfd
19
vulnerability VCID-91ta-vnkv-5ydh
20
vulnerability VCID-9f34-2r5y-sydz
21
vulnerability VCID-arbk-dryb-qkda
22
vulnerability VCID-bn9u-brjp-yudy
23
vulnerability VCID-ctd9-hxfn-8fcs
24
vulnerability VCID-d3kc-fn21-xqar
25
vulnerability VCID-dk1y-938p-k3bv
26
vulnerability VCID-dp6s-jdma-a7cc
27
vulnerability VCID-e19b-adrm-x7fu
28
vulnerability VCID-fctg-457f-4uae
29
vulnerability VCID-fnsx-gtgn-27dr
30
vulnerability VCID-gbgf-jfzt-tqg1
31
vulnerability VCID-gg94-fdbv-y7g1
32
vulnerability VCID-gt7b-5554-y7dq
33
vulnerability VCID-hgq2-kuex-y3a3
34
vulnerability VCID-hpf3-3z3m-6ydt
35
vulnerability VCID-j6uh-kx6m-sydp
36
vulnerability VCID-jrwf-mt69-1ydt
37
vulnerability VCID-kb4a-mm13-63bj
38
vulnerability VCID-kgfb-yphg-n3ec
39
vulnerability VCID-krjr-ctw4-r3d3
40
vulnerability VCID-ms13-tzaa-hkej
41
vulnerability VCID-nfbc-tutd-37bw
42
vulnerability VCID-p42d-ta7v-7yhn
43
vulnerability VCID-pb3b-22wk-pbh5
44
vulnerability VCID-pmtw-nwnc-nyfw
45
vulnerability VCID-pqgj-ry81-6ua3
46
vulnerability VCID-qxnw-7urw-fud2
47
vulnerability VCID-rysu-xhvt-yqda
48
vulnerability VCID-s49h-br5r-5yh8
49
vulnerability VCID-ssbp-gvfd-2kef
50
vulnerability VCID-syqv-6kj7-j3e5
51
vulnerability VCID-tcjg-f9cn-mubj
52
vulnerability VCID-tpjn-4kru-vucv
53
vulnerability VCID-vj7z-pmk3-cydg
54
vulnerability VCID-vras-f42j-xqfg
55
vulnerability VCID-vy44-rbar-w3fn
56
vulnerability VCID-w8ff-8479-rbfq
57
vulnerability VCID-xwza-guvs-83a9
58
vulnerability VCID-ygjc-77t9-yfge
59
vulnerability VCID-ykge-bnhg-g7c4
60
vulnerability VCID-yrx8-dtav-83av
61
vulnerability VCID-yz8w-uv1z-5ybw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.5
aliases CVE-2019-12398, GHSA-rjvg-q57v-mjjc, PYSEC-2020-162
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bxw8-918z-1be5
24
url VCID-ctd9-hxfn-8fcs
vulnerability_id VCID-ctd9-hxfn-8fcs
summary In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
references
0
reference_url https://github.com/apache/airflow/pull/26635
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/26635
1
reference_url https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
reference_id
reference_type
scores
url https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.2rc1
purl pkg:pypi/apache-airflow@2.4.2rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-d3kc-fn21-xqar
15
vulnerability VCID-dk1y-938p-k3bv
16
vulnerability VCID-e19b-adrm-x7fu
17
vulnerability VCID-fctg-457f-4uae
18
vulnerability VCID-hgq2-kuex-y3a3
19
vulnerability VCID-hpf3-3z3m-6ydt
20
vulnerability VCID-j6uh-kx6m-sydp
21
vulnerability VCID-kb4a-mm13-63bj
22
vulnerability VCID-kgfb-yphg-n3ec
23
vulnerability VCID-mbgq-fq5n-kufh
24
vulnerability VCID-nfbc-tutd-37bw
25
vulnerability VCID-pb3b-22wk-pbh5
26
vulnerability VCID-pmtw-nwnc-nyfw
27
vulnerability VCID-pqgj-ry81-6ua3
28
vulnerability VCID-qxnw-7urw-fud2
29
vulnerability VCID-rysu-xhvt-yqda
30
vulnerability VCID-s49h-br5r-5yh8
31
vulnerability VCID-tpjn-4kru-vucv
32
vulnerability VCID-vj7z-pmk3-cydg
33
vulnerability VCID-vras-f42j-xqfg
34
vulnerability VCID-vy44-rbar-w3fn
35
vulnerability VCID-w8ff-8479-rbfq
36
vulnerability VCID-xwza-guvs-83a9
37
vulnerability VCID-yrx8-dtav-83av
38
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2rc1
aliases CVE-2022-41672, PYSEC-2022-42983
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ctd9-hxfn-8fcs
25
url VCID-d3kc-fn21-xqar
vulnerability_id VCID-d3kc-fn21-xqar
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
2
reference_url https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3
3
reference_url https://github.com/apache/airflow/pull/32293
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32293
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml
5
reference_url https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo
reference_id
reference_type
scores
url https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22887
reference_id CVE-2023-22887
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-22887
7
reference_url https://github.com/advisories/GHSA-ggwr-4vr8-g7wv
reference_id GHSA-ggwr-4vr8-g7wv
reference_type
scores
url https://github.com/advisories/GHSA-ggwr-4vr8-g7wv
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-vj7z-pmk3-cydg
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
26
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-22887, GHSA-ggwr-4vr8-g7wv, PYSEC-2023-104
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d3kc-fn21-xqar
26
url VCID-dk1y-938p-k3bv
vulnerability_id VCID-dk1y-938p-k3bv
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
2
reference_url https://github.com/apache/airflow/pull/32293
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32293
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml
4
reference_url https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z
reference_id
reference_type
scores
url https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22888
reference_id CVE-2023-22888
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-22888
6
reference_url https://github.com/advisories/GHSA-5946-8p38-vffp
reference_id GHSA-5946-8p38-vffp
reference_type
scores
url https://github.com/advisories/GHSA-5946-8p38-vffp
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-vj7z-pmk3-cydg
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
26
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-22888, GHSA-5946-8p38-vffp, PYSEC-2023-105
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dk1y-938p-k3bv
27
url VCID-dp6s-jdma-a7cc
vulnerability_id VCID-dp6s-jdma-a7cc
summary An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-9485
reference_id
reference_type
scores
0
value 0.02134
scoring_system epss
scoring_elements 0.84471
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-9485
1
reference_url https://github.com/advisories/GHSA-j38c-25fj-mr84
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-j38c-25fj-mr84
2
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5ufe-1rrj-rkgp
12
vulnerability VCID-6hxm-nnhg-buex
13
vulnerability VCID-7z8j-8f4d-53dm
14
vulnerability VCID-82p8-yujf-hkdd
15
vulnerability VCID-8m3p-yzr8-yyhj
16
vulnerability VCID-8npr-rvfd-jkfj
17
vulnerability VCID-8ykk-1kak-6bfd
18
vulnerability VCID-9f34-2r5y-sydz
19
vulnerability VCID-arbk-dryb-qkda
20
vulnerability VCID-bn9u-brjp-yudy
21
vulnerability VCID-ctd9-hxfn-8fcs
22
vulnerability VCID-d3kc-fn21-xqar
23
vulnerability VCID-dk1y-938p-k3bv
24
vulnerability VCID-e19b-adrm-x7fu
25
vulnerability VCID-fctg-457f-4uae
26
vulnerability VCID-fnsx-gtgn-27dr
27
vulnerability VCID-gbgf-jfzt-tqg1
28
vulnerability VCID-gg94-fdbv-y7g1
29
vulnerability VCID-gt7b-5554-y7dq
30
vulnerability VCID-hgq2-kuex-y3a3
31
vulnerability VCID-hpf3-3z3m-6ydt
32
vulnerability VCID-j6uh-kx6m-sydp
33
vulnerability VCID-jrwf-mt69-1ydt
34
vulnerability VCID-kb4a-mm13-63bj
35
vulnerability VCID-kgfb-yphg-n3ec
36
vulnerability VCID-krjr-ctw4-r3d3
37
vulnerability VCID-ms13-tzaa-hkej
38
vulnerability VCID-nfbc-tutd-37bw
39
vulnerability VCID-p42d-ta7v-7yhn
40
vulnerability VCID-pb3b-22wk-pbh5
41
vulnerability VCID-pmtw-nwnc-nyfw
42
vulnerability VCID-pqgj-ry81-6ua3
43
vulnerability VCID-qxnw-7urw-fud2
44
vulnerability VCID-rysu-xhvt-yqda
45
vulnerability VCID-s49h-br5r-5yh8
46
vulnerability VCID-ssbp-gvfd-2kef
47
vulnerability VCID-tcjg-f9cn-mubj
48
vulnerability VCID-tpjn-4kru-vucv
49
vulnerability VCID-vj7z-pmk3-cydg
50
vulnerability VCID-vras-f42j-xqfg
51
vulnerability VCID-vy44-rbar-w3fn
52
vulnerability VCID-w8ff-8479-rbfq
53
vulnerability VCID-xwza-guvs-83a9
54
vulnerability VCID-ygjc-77t9-yfge
55
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
aliases CVE-2020-9485, GHSA-j38c-25fj-mr84, PYSEC-2020-23
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dp6s-jdma-a7cc
28
url VCID-e19b-adrm-x7fu
vulnerability_id VCID-e19b-adrm-x7fu
summary In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.
references
0
reference_url https://github.com/apache/airflow/pull/27576
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/27576
1
reference_url https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh
reference_id
reference_type
scores
url https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh
2
reference_url http://www.openwall.com/lists/oss-security/2022/11/15/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/11/15/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.3
purl pkg:pypi/apache-airflow@2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-7z8j-8f4d-53dm
8
vulnerability VCID-82p8-yujf-hkdd
9
vulnerability VCID-8m3p-yzr8-yyhj
10
vulnerability VCID-8npr-rvfd-jkfj
11
vulnerability VCID-8ykk-1kak-6bfd
12
vulnerability VCID-arbk-dryb-qkda
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-kgfb-yphg-n3ec
21
vulnerability VCID-mbgq-fq5n-kufh
22
vulnerability VCID-nfbc-tutd-37bw
23
vulnerability VCID-pb3b-22wk-pbh5
24
vulnerability VCID-pmtw-nwnc-nyfw
25
vulnerability VCID-rysu-xhvt-yqda
26
vulnerability VCID-s49h-br5r-5yh8
27
vulnerability VCID-tpjn-4kru-vucv
28
vulnerability VCID-vj7z-pmk3-cydg
29
vulnerability VCID-vras-f42j-xqfg
30
vulnerability VCID-vy44-rbar-w3fn
31
vulnerability VCID-w8ff-8479-rbfq
32
vulnerability VCID-xwza-guvs-83a9
33
vulnerability VCID-yrx8-dtav-83av
34
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3
aliases CVE-2022-45402, PYSEC-2022-42984
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e19b-adrm-x7fu
29
url VCID-fctg-457f-4uae
vulnerability_id VCID-fctg-457f-4uae
summary 
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.  This is a different issue than CVE-2023-42663 but leading to similar outcome.
Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3
2
reference_url https://github.com/apache/airflow/pull/34939
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/34939
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml
4
reference_url https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1
reference_id
reference_type
scores
url https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42781
reference_id CVE-2023-42781
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42781
6
reference_url https://github.com/advisories/GHSA-r7x6-xfcm-3mxv
reference_id GHSA-r7x6-xfcm-3mxv
reference_type
scores
url https://github.com/advisories/GHSA-r7x6-xfcm-3mxv
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.3
purl pkg:pypi/apache-airflow@2.7.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-4u8d-ezsr-sqcz
2
vulnerability VCID-82p8-yujf-hkdd
3
vulnerability VCID-8m3p-yzr8-yyhj
4
vulnerability VCID-arbk-dryb-qkda
5
vulnerability VCID-cxqa-pqca-pqgc
6
vulnerability VCID-hpf3-3z3m-6ydt
7
vulnerability VCID-j6uh-kx6m-sydp
8
vulnerability VCID-kb4a-mm13-63bj
9
vulnerability VCID-mbgq-fq5n-kufh
10
vulnerability VCID-nfbc-tutd-37bw
11
vulnerability VCID-rysu-xhvt-yqda
12
vulnerability VCID-tpjn-4kru-vucv
13
vulnerability VCID-unq1-wwfg-6ydk
14
vulnerability VCID-vras-f42j-xqfg
15
vulnerability VCID-w8ff-8479-rbfq
16
vulnerability VCID-xwza-guvs-83a9
17
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3
aliases CVE-2023-42781, GHSA-r7x6-xfcm-3mxv, PYSEC-2023-231
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fctg-457f-4uae
30
url VCID-fnsx-gtgn-27dr
vulnerability_id VCID-fnsx-gtgn-27dr
summary A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
references
0
reference_url https://github.com/apache/airflow/pull/25960
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/25960
1
reference_url https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
reference_id
reference_type
scores
url https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
2
reference_url http://www.openwall.com/lists/oss-security/2022/11/14/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/11/14/2
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.0
purl pkg:pypi/apache-airflow@2.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-ctd9-hxfn-8fcs
15
vulnerability VCID-d3kc-fn21-xqar
16
vulnerability VCID-dk1y-938p-k3bv
17
vulnerability VCID-e19b-adrm-x7fu
18
vulnerability VCID-fctg-457f-4uae
19
vulnerability VCID-hgq2-kuex-y3a3
20
vulnerability VCID-hpf3-3z3m-6ydt
21
vulnerability VCID-j6uh-kx6m-sydp
22
vulnerability VCID-kb4a-mm13-63bj
23
vulnerability VCID-kgfb-yphg-n3ec
24
vulnerability VCID-mbgq-fq5n-kufh
25
vulnerability VCID-nfbc-tutd-37bw
26
vulnerability VCID-pb3b-22wk-pbh5
27
vulnerability VCID-pmtw-nwnc-nyfw
28
vulnerability VCID-pqgj-ry81-6ua3
29
vulnerability VCID-qxnw-7urw-fud2
30
vulnerability VCID-rysu-xhvt-yqda
31
vulnerability VCID-s49h-br5r-5yh8
32
vulnerability VCID-tpjn-4kru-vucv
33
vulnerability VCID-vj7z-pmk3-cydg
34
vulnerability VCID-vras-f42j-xqfg
35
vulnerability VCID-vy44-rbar-w3fn
36
vulnerability VCID-w8ff-8479-rbfq
37
vulnerability VCID-xwza-guvs-83a9
38
vulnerability VCID-yrx8-dtav-83av
39
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.0
aliases CVE-2022-40127, PYSEC-2022-42982
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fnsx-gtgn-27dr
31
url VCID-gbgf-jfzt-tqg1
vulnerability_id VCID-gbgf-jfzt-tqg1
summary It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.
references
0
reference_url https://github.com/advisories/GHSA-65xw-pcqw-hjrh
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-65xw-pcqw-hjrh
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml
4
reference_url https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk
reference_id
reference_type
scores
url https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-45229
reference_id CVE-2021-45229
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-45229
fixed_packages
0
url pkg:pypi/apache-airflow@2.2.4rc1
purl pkg:pypi/apache-airflow@2.2.4rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-5ufe-1rrj-rkgp
9
vulnerability VCID-6hxm-nnhg-buex
10
vulnerability VCID-7z8j-8f4d-53dm
11
vulnerability VCID-82p8-yujf-hkdd
12
vulnerability VCID-8m3p-yzr8-yyhj
13
vulnerability VCID-8npr-rvfd-jkfj
14
vulnerability VCID-8ykk-1kak-6bfd
15
vulnerability VCID-arbk-dryb-qkda
16
vulnerability VCID-ctd9-hxfn-8fcs
17
vulnerability VCID-d3kc-fn21-xqar
18
vulnerability VCID-dk1y-938p-k3bv
19
vulnerability VCID-e19b-adrm-x7fu
20
vulnerability VCID-fctg-457f-4uae
21
vulnerability VCID-fnsx-gtgn-27dr
22
vulnerability VCID-gg94-fdbv-y7g1
23
vulnerability VCID-hgq2-kuex-y3a3
24
vulnerability VCID-hpf3-3z3m-6ydt
25
vulnerability VCID-j6uh-kx6m-sydp
26
vulnerability VCID-kb4a-mm13-63bj
27
vulnerability VCID-kgfb-yphg-n3ec
28
vulnerability VCID-nfbc-tutd-37bw
29
vulnerability VCID-p42d-ta7v-7yhn
30
vulnerability VCID-pb3b-22wk-pbh5
31
vulnerability VCID-pmtw-nwnc-nyfw
32
vulnerability VCID-pqgj-ry81-6ua3
33
vulnerability VCID-qxnw-7urw-fud2
34
vulnerability VCID-rysu-xhvt-yqda
35
vulnerability VCID-s49h-br5r-5yh8
36
vulnerability VCID-tpjn-4kru-vucv
37
vulnerability VCID-vj7z-pmk3-cydg
38
vulnerability VCID-vras-f42j-xqfg
39
vulnerability VCID-vy44-rbar-w3fn
40
vulnerability VCID-w8ff-8479-rbfq
41
vulnerability VCID-xwza-guvs-83a9
42
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4rc1
aliases CVE-2021-45229, GHSA-65xw-pcqw-hjrh, PYSEC-2022-29
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gbgf-jfzt-tqg1
32
url VCID-gg94-fdbv-y7g1
vulnerability_id VCID-gg94-fdbv-y7g1
summary Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3
2
reference_url https://github.com/apache/airflow/pull/30215
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/30215
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml
4
reference_url https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk
reference_id
reference_type
scores
url https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk
5
reference_url https://www.openwall.com/lists/oss-security/2023/04/07/1
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/04/07/1
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28707
reference_id CVE-2023-28707
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-28707
7
reference_url https://github.com/advisories/GHSA-85pf-r4c7-3j9r
reference_id GHSA-85pf-r4c7-3j9r
reference_type
scores
url https://github.com/advisories/GHSA-85pf-r4c7-3j9r
fixed_packages
0
url pkg:pypi/apache-airflow@2.3.2
purl pkg:pypi/apache-airflow@2.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-ctd9-hxfn-8fcs
15
vulnerability VCID-d3kc-fn21-xqar
16
vulnerability VCID-dk1y-938p-k3bv
17
vulnerability VCID-e19b-adrm-x7fu
18
vulnerability VCID-fctg-457f-4uae
19
vulnerability VCID-fnsx-gtgn-27dr
20
vulnerability VCID-fut9-4dat-qbfy
21
vulnerability VCID-hgq2-kuex-y3a3
22
vulnerability VCID-hpf3-3z3m-6ydt
23
vulnerability VCID-j6uh-kx6m-sydp
24
vulnerability VCID-k7ea-m9cw-w3fz
25
vulnerability VCID-kb4a-mm13-63bj
26
vulnerability VCID-kgfb-yphg-n3ec
27
vulnerability VCID-nfbc-tutd-37bw
28
vulnerability VCID-p42d-ta7v-7yhn
29
vulnerability VCID-pb3b-22wk-pbh5
30
vulnerability VCID-pmtw-nwnc-nyfw
31
vulnerability VCID-pqgj-ry81-6ua3
32
vulnerability VCID-qxnw-7urw-fud2
33
vulnerability VCID-rysu-xhvt-yqda
34
vulnerability VCID-s49h-br5r-5yh8
35
vulnerability VCID-swav-nrrn-wbcs
36
vulnerability VCID-tpjn-4kru-vucv
37
vulnerability VCID-vj7z-pmk3-cydg
38
vulnerability VCID-vras-f42j-xqfg
39
vulnerability VCID-vy44-rbar-w3fn
40
vulnerability VCID-w8ff-8479-rbfq
41
vulnerability VCID-xwza-guvs-83a9
42
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.2
aliases CVE-2023-28707, GHSA-85pf-r4c7-3j9r, PYSEC-2023-3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gg94-fdbv-y7g1
33
url VCID-gt7b-5554-y7dq
vulnerability_id VCID-gt7b-5554-y7dq
summary The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
references
0
reference_url https://github.com/advisories/GHSA-3xxv-p78r-4fc6
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-3xxv-p78r-4fc6
1
reference_url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
2
reference_url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.15
purl pkg:pypi/apache-airflow@1.10.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-arbk-dryb-qkda
17
vulnerability VCID-bn9u-brjp-yudy
18
vulnerability VCID-ctd9-hxfn-8fcs
19
vulnerability VCID-d3kc-fn21-xqar
20
vulnerability VCID-dk1y-938p-k3bv
21
vulnerability VCID-e19b-adrm-x7fu
22
vulnerability VCID-fctg-457f-4uae
23
vulnerability VCID-fnsx-gtgn-27dr
24
vulnerability VCID-gbgf-jfzt-tqg1
25
vulnerability VCID-gg94-fdbv-y7g1
26
vulnerability VCID-hgq2-kuex-y3a3
27
vulnerability VCID-hpf3-3z3m-6ydt
28
vulnerability VCID-j6uh-kx6m-sydp
29
vulnerability VCID-jrwf-mt69-1ydt
30
vulnerability VCID-kb4a-mm13-63bj
31
vulnerability VCID-kgfb-yphg-n3ec
32
vulnerability VCID-ms13-tzaa-hkej
33
vulnerability VCID-nfbc-tutd-37bw
34
vulnerability VCID-p42d-ta7v-7yhn
35
vulnerability VCID-pb3b-22wk-pbh5
36
vulnerability VCID-pmtw-nwnc-nyfw
37
vulnerability VCID-pqgj-ry81-6ua3
38
vulnerability VCID-qxnw-7urw-fud2
39
vulnerability VCID-rysu-xhvt-yqda
40
vulnerability VCID-s49h-br5r-5yh8
41
vulnerability VCID-ssbp-gvfd-2kef
42
vulnerability VCID-tpjn-4kru-vucv
43
vulnerability VCID-vj7z-pmk3-cydg
44
vulnerability VCID-vras-f42j-xqfg
45
vulnerability VCID-vy44-rbar-w3fn
46
vulnerability VCID-w8ff-8479-rbfq
47
vulnerability VCID-xwza-guvs-83a9
48
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.15
1
url pkg:pypi/apache-airflow@2.0.2
purl pkg:pypi/apache-airflow@2.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-arbk-dryb-qkda
17
vulnerability VCID-ctd9-hxfn-8fcs
18
vulnerability VCID-d3kc-fn21-xqar
19
vulnerability VCID-dk1y-938p-k3bv
20
vulnerability VCID-e19b-adrm-x7fu
21
vulnerability VCID-fctg-457f-4uae
22
vulnerability VCID-fnsx-gtgn-27dr
23
vulnerability VCID-gbgf-jfzt-tqg1
24
vulnerability VCID-gg94-fdbv-y7g1
25
vulnerability VCID-hgq2-kuex-y3a3
26
vulnerability VCID-hpf3-3z3m-6ydt
27
vulnerability VCID-j6uh-kx6m-sydp
28
vulnerability VCID-jrwf-mt69-1ydt
29
vulnerability VCID-kb4a-mm13-63bj
30
vulnerability VCID-kgfb-yphg-n3ec
31
vulnerability VCID-kjw8-c6cn-3kee
32
vulnerability VCID-nfbc-tutd-37bw
33
vulnerability VCID-p42d-ta7v-7yhn
34
vulnerability VCID-pb3b-22wk-pbh5
35
vulnerability VCID-pmtw-nwnc-nyfw
36
vulnerability VCID-pqgj-ry81-6ua3
37
vulnerability VCID-qxnw-7urw-fud2
38
vulnerability VCID-rysu-xhvt-yqda
39
vulnerability VCID-s49h-br5r-5yh8
40
vulnerability VCID-tpjn-4kru-vucv
41
vulnerability VCID-vj7z-pmk3-cydg
42
vulnerability VCID-vras-f42j-xqfg
43
vulnerability VCID-vy44-rbar-w3fn
44
vulnerability VCID-w8ff-8479-rbfq
45
vulnerability VCID-xwza-guvs-83a9
46
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.2
aliases CVE-2021-28359, GHSA-3xxv-p78r-4fc6, PYSEC-2021-4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gt7b-5554-y7dq
34
url VCID-hgq2-kuex-y3a3
vulnerability_id VCID-hgq2-kuex-y3a3
summary 
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/34315
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/34315
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml
3
reference_url https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9
reference_id
reference_type
scores
url https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42663
reference_id CVE-2023-42663
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42663
5
reference_url https://github.com/advisories/GHSA-32wr-qqw6-5mfp
reference_id GHSA-32wr-qqw6-5mfp
reference_type
scores
url https://github.com/advisories/GHSA-32wr-qqw6-5mfp
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.2
purl pkg:pypi/apache-airflow@2.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-4u8d-ezsr-sqcz
3
vulnerability VCID-82p8-yujf-hkdd
4
vulnerability VCID-8m3p-yzr8-yyhj
5
vulnerability VCID-arbk-dryb-qkda
6
vulnerability VCID-cxqa-pqca-pqgc
7
vulnerability VCID-fctg-457f-4uae
8
vulnerability VCID-hpf3-3z3m-6ydt
9
vulnerability VCID-j6uh-kx6m-sydp
10
vulnerability VCID-kb4a-mm13-63bj
11
vulnerability VCID-mbgq-fq5n-kufh
12
vulnerability VCID-nfbc-tutd-37bw
13
vulnerability VCID-rysu-xhvt-yqda
14
vulnerability VCID-tpjn-4kru-vucv
15
vulnerability VCID-unq1-wwfg-6ydk
16
vulnerability VCID-vras-f42j-xqfg
17
vulnerability VCID-w8ff-8479-rbfq
18
vulnerability VCID-xwza-guvs-83a9
19
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2
aliases CVE-2023-42663, GHSA-32wr-qqw6-5mfp, PYSEC-2023-197
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hgq2-kuex-y3a3
35
url VCID-hpf3-3z3m-6ydt
vulnerability_id VCID-hpf3-3z3m-6ydt
summary 
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/39550
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/39550
1
reference_url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
2
reference_url http://www.openwall.com/lists/oss-security/2024/06/13/1
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2024/06/13/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.2
purl pkg:pypi/apache-airflow@2.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-8m3p-yzr8-yyhj
2
vulnerability VCID-j6uh-kx6m-sydp
3
vulnerability VCID-kb4a-mm13-63bj
4
vulnerability VCID-mbgq-fq5n-kufh
5
vulnerability VCID-tpjn-4kru-vucv
6
vulnerability VCID-vras-f42j-xqfg
7
vulnerability VCID-w8ff-8479-rbfq
8
vulnerability VCID-xwza-guvs-83a9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2
aliases CVE-2024-25142, PYSEC-2024-195
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hpf3-3z3m-6ydt
36
url VCID-j6uh-kx6m-sydp
vulnerability_id VCID-j6uh-kx6m-sydp
summary 
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/61641
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/61641
1
reference_url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/9
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url http://www.openwall.com/lists/oss-security/2026/04/17/9
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-25917, PYSEC-2026-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j6uh-kx6m-sydp
37
url VCID-jrwf-mt69-1ydt
vulnerability_id VCID-jrwf-mt69-1ydt
summary In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.
references
0
reference_url https://github.com/advisories/GHSA-4jh2-3c85-q67h
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-4jh2-3c85-q67h
1
reference_url https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl
reference_id
reference_type
scores
url https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-45230
reference_id CVE-2021-45230
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-45230
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.0b1
purl pkg:pypi/apache-airflow@2.0.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-arbk-dryb-qkda
17
vulnerability VCID-bn9u-brjp-yudy
18
vulnerability VCID-ctd9-hxfn-8fcs
19
vulnerability VCID-d3kc-fn21-xqar
20
vulnerability VCID-dk1y-938p-k3bv
21
vulnerability VCID-e19b-adrm-x7fu
22
vulnerability VCID-fctg-457f-4uae
23
vulnerability VCID-fnsx-gtgn-27dr
24
vulnerability VCID-gbgf-jfzt-tqg1
25
vulnerability VCID-gg94-fdbv-y7g1
26
vulnerability VCID-hgq2-kuex-y3a3
27
vulnerability VCID-hpf3-3z3m-6ydt
28
vulnerability VCID-j6uh-kx6m-sydp
29
vulnerability VCID-kb4a-mm13-63bj
30
vulnerability VCID-kgfb-yphg-n3ec
31
vulnerability VCID-ms13-tzaa-hkej
32
vulnerability VCID-nfbc-tutd-37bw
33
vulnerability VCID-p42d-ta7v-7yhn
34
vulnerability VCID-pb3b-22wk-pbh5
35
vulnerability VCID-pmtw-nwnc-nyfw
36
vulnerability VCID-pqgj-ry81-6ua3
37
vulnerability VCID-qxnw-7urw-fud2
38
vulnerability VCID-rysu-xhvt-yqda
39
vulnerability VCID-s49h-br5r-5yh8
40
vulnerability VCID-ssbp-gvfd-2kef
41
vulnerability VCID-tpjn-4kru-vucv
42
vulnerability VCID-vj7z-pmk3-cydg
43
vulnerability VCID-vras-f42j-xqfg
44
vulnerability VCID-vy44-rbar-w3fn
45
vulnerability VCID-w8ff-8479-rbfq
46
vulnerability VCID-xwza-guvs-83a9
47
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.0b1
1
url pkg:pypi/apache-airflow@2.2.0
purl pkg:pypi/apache-airflow@2.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-5ufe-1rrj-rkgp
9
vulnerability VCID-6hxm-nnhg-buex
10
vulnerability VCID-7z8j-8f4d-53dm
11
vulnerability VCID-82p8-yujf-hkdd
12
vulnerability VCID-8m3p-yzr8-yyhj
13
vulnerability VCID-8npr-rvfd-jkfj
14
vulnerability VCID-8ykk-1kak-6bfd
15
vulnerability VCID-arbk-dryb-qkda
16
vulnerability VCID-ctd9-hxfn-8fcs
17
vulnerability VCID-d3kc-fn21-xqar
18
vulnerability VCID-dk1y-938p-k3bv
19
vulnerability VCID-e19b-adrm-x7fu
20
vulnerability VCID-fctg-457f-4uae
21
vulnerability VCID-fnsx-gtgn-27dr
22
vulnerability VCID-gbgf-jfzt-tqg1
23
vulnerability VCID-gg94-fdbv-y7g1
24
vulnerability VCID-hgq2-kuex-y3a3
25
vulnerability VCID-hpf3-3z3m-6ydt
26
vulnerability VCID-j6uh-kx6m-sydp
27
vulnerability VCID-kb4a-mm13-63bj
28
vulnerability VCID-kgfb-yphg-n3ec
29
vulnerability VCID-nfbc-tutd-37bw
30
vulnerability VCID-p42d-ta7v-7yhn
31
vulnerability VCID-pb3b-22wk-pbh5
32
vulnerability VCID-pmtw-nwnc-nyfw
33
vulnerability VCID-pqgj-ry81-6ua3
34
vulnerability VCID-qxnw-7urw-fud2
35
vulnerability VCID-rysu-xhvt-yqda
36
vulnerability VCID-s49h-br5r-5yh8
37
vulnerability VCID-tpjn-4kru-vucv
38
vulnerability VCID-vj7z-pmk3-cydg
39
vulnerability VCID-vras-f42j-xqfg
40
vulnerability VCID-vy44-rbar-w3fn
41
vulnerability VCID-w8ff-8479-rbfq
42
vulnerability VCID-xwza-guvs-83a9
43
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.0
aliases CVE-2021-45230, GHSA-4jh2-3c85-q67h, PYSEC-2022-11
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jrwf-mt69-1ydt
38
url VCID-kb4a-mm13-63bj
vulnerability_id VCID-kb4a-mm13-63bj
summary Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
references
0
reference_url https://github.com/apache/airflow/pull/43040
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/43040
1
reference_url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
reference_id
reference_type
scores
url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
2
reference_url http://www.openwall.com/lists/oss-security/2024/11/15/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/11/15/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.3
purl pkg:pypi/apache-airflow@2.10.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-j6uh-kx6m-sydp
2
vulnerability VCID-tpjn-4kru-vucv
3
vulnerability VCID-vras-f42j-xqfg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3
aliases CVE-2024-45784, PYSEC-2024-182
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kb4a-mm13-63bj
39
url VCID-kgfb-yphg-n3ec
vulnerability_id VCID-kgfb-yphg-n3ec
summary Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473
2
reference_url https://github.com/apache/airflow/pull/29506
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/29506
3
reference_url https://github.com/apache/airflow/releases/tag/2.6.0
reference_id
reference_type
scores
url https://github.com/apache/airflow/releases/tag/2.6.0
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml
5
reference_url https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v
reference_id
reference_type
scores
url https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v
6
reference_url https://www.openwall.com/lists/oss-security/2023/05/08/2
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/05/08/2
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25754
reference_id CVE-2023-25754
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25754
8
reference_url https://github.com/advisories/GHSA-jchm-fm4q-c2fp
reference_id GHSA-jchm-fm4q-c2fp
reference_type
scores
url https://github.com/advisories/GHSA-jchm-fm4q-c2fp
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.0b1
purl pkg:pypi/apache-airflow@2.6.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-1tvn-y85f-jkb9
4
vulnerability VCID-2q7x-bua5-37h7
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-7z8j-8f4d-53dm
8
vulnerability VCID-82p8-yujf-hkdd
9
vulnerability VCID-8m3p-yzr8-yyhj
10
vulnerability VCID-8npr-rvfd-jkfj
11
vulnerability VCID-8ykk-1kak-6bfd
12
vulnerability VCID-arbk-dryb-qkda
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-kgfb-yphg-n3ec
21
vulnerability VCID-mbgq-fq5n-kufh
22
vulnerability VCID-nfbc-tutd-37bw
23
vulnerability VCID-pb3b-22wk-pbh5
24
vulnerability VCID-pmtw-nwnc-nyfw
25
vulnerability VCID-rysu-xhvt-yqda
26
vulnerability VCID-s49h-br5r-5yh8
27
vulnerability VCID-tpjn-4kru-vucv
28
vulnerability VCID-vj7z-pmk3-cydg
29
vulnerability VCID-vras-f42j-xqfg
30
vulnerability VCID-vy44-rbar-w3fn
31
vulnerability VCID-w8ff-8479-rbfq
32
vulnerability VCID-xwza-guvs-83a9
33
vulnerability VCID-yrx8-dtav-83av
34
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1
1
url pkg:pypi/apache-airflow@2.6.0
purl pkg:pypi/apache-airflow@2.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-1tvn-y85f-jkb9
4
vulnerability VCID-2q7x-bua5-37h7
5
vulnerability VCID-4u8d-ezsr-sqcz
6
vulnerability VCID-7z8j-8f4d-53dm
7
vulnerability VCID-82p8-yujf-hkdd
8
vulnerability VCID-8m3p-yzr8-yyhj
9
vulnerability VCID-8npr-rvfd-jkfj
10
vulnerability VCID-8ykk-1kak-6bfd
11
vulnerability VCID-arbk-dryb-qkda
12
vulnerability VCID-cxqa-pqca-pqgc
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-mbgq-fq5n-kufh
21
vulnerability VCID-nfbc-tutd-37bw
22
vulnerability VCID-pmtw-nwnc-nyfw
23
vulnerability VCID-rysu-xhvt-yqda
24
vulnerability VCID-s49h-br5r-5yh8
25
vulnerability VCID-tpjn-4kru-vucv
26
vulnerability VCID-vj7z-pmk3-cydg
27
vulnerability VCID-vras-f42j-xqfg
28
vulnerability VCID-vy44-rbar-w3fn
29
vulnerability VCID-w8ff-8479-rbfq
30
vulnerability VCID-xwza-guvs-83a9
31
vulnerability VCID-yrx8-dtav-83av
32
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0
aliases CVE-2023-25754, GHSA-jchm-fm4q-c2fp, PYSEC-2023-59
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kgfb-yphg-n3ec
40
url VCID-krjr-ctw4-r3d3
vulnerability_id VCID-krjr-ctw4-r3d3
summary The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-13927
reference_id
reference_type
scores
0
value 0.94104
scoring_system epss
scoring_elements 0.99913
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-13927
1
reference_url https://github.com/advisories/GHSA-hhx9-p69v-cx2j
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-hhx9-p69v-cx2j
2
reference_url https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11
purl pkg:pypi/apache-airflow@1.10.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5ufe-1rrj-rkgp
12
vulnerability VCID-6hxm-nnhg-buex
13
vulnerability VCID-7z8j-8f4d-53dm
14
vulnerability VCID-82p8-yujf-hkdd
15
vulnerability VCID-8m3p-yzr8-yyhj
16
vulnerability VCID-8npr-rvfd-jkfj
17
vulnerability VCID-8ykk-1kak-6bfd
18
vulnerability VCID-9f34-2r5y-sydz
19
vulnerability VCID-arbk-dryb-qkda
20
vulnerability VCID-bn9u-brjp-yudy
21
vulnerability VCID-ctd9-hxfn-8fcs
22
vulnerability VCID-d3kc-fn21-xqar
23
vulnerability VCID-dk1y-938p-k3bv
24
vulnerability VCID-e19b-adrm-x7fu
25
vulnerability VCID-fctg-457f-4uae
26
vulnerability VCID-fnsx-gtgn-27dr
27
vulnerability VCID-gbgf-jfzt-tqg1
28
vulnerability VCID-gg94-fdbv-y7g1
29
vulnerability VCID-gt7b-5554-y7dq
30
vulnerability VCID-hgq2-kuex-y3a3
31
vulnerability VCID-hpf3-3z3m-6ydt
32
vulnerability VCID-j6uh-kx6m-sydp
33
vulnerability VCID-jrwf-mt69-1ydt
34
vulnerability VCID-kb4a-mm13-63bj
35
vulnerability VCID-kgfb-yphg-n3ec
36
vulnerability VCID-ms13-tzaa-hkej
37
vulnerability VCID-nfbc-tutd-37bw
38
vulnerability VCID-p42d-ta7v-7yhn
39
vulnerability VCID-pb3b-22wk-pbh5
40
vulnerability VCID-pmtw-nwnc-nyfw
41
vulnerability VCID-pqgj-ry81-6ua3
42
vulnerability VCID-qxnw-7urw-fud2
43
vulnerability VCID-rysu-xhvt-yqda
44
vulnerability VCID-s49h-br5r-5yh8
45
vulnerability VCID-ssbp-gvfd-2kef
46
vulnerability VCID-tcjg-f9cn-mubj
47
vulnerability VCID-tpjn-4kru-vucv
48
vulnerability VCID-vj7z-pmk3-cydg
49
vulnerability VCID-vras-f42j-xqfg
50
vulnerability VCID-vy44-rbar-w3fn
51
vulnerability VCID-w8ff-8479-rbfq
52
vulnerability VCID-xwza-guvs-83a9
53
vulnerability VCID-ygjc-77t9-yfge
54
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11
aliases CVE-2020-13927, GHSA-hhx9-p69v-cx2j, PYSEC-2020-18
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-krjr-ctw4-r3d3
41
url VCID-ms13-tzaa-hkej
vulnerability_id VCID-ms13-tzaa-hkej
summary The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.
references
0
reference_url https://github.com/advisories/GHSA-fh37-cx83-q542
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-fh37-cx83-q542
1
reference_url https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E
2
reference_url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E
3
reference_url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E
4
reference_url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
5
reference_url http://www.openwall.com/lists/oss-security/2021/02/17/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/02/17/2
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.1
purl pkg:pypi/apache-airflow@2.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-arbk-dryb-qkda
17
vulnerability VCID-ctd9-hxfn-8fcs
18
vulnerability VCID-d3kc-fn21-xqar
19
vulnerability VCID-dk1y-938p-k3bv
20
vulnerability VCID-e19b-adrm-x7fu
21
vulnerability VCID-fctg-457f-4uae
22
vulnerability VCID-fnsx-gtgn-27dr
23
vulnerability VCID-gbgf-jfzt-tqg1
24
vulnerability VCID-gg94-fdbv-y7g1
25
vulnerability VCID-gt7b-5554-y7dq
26
vulnerability VCID-hgq2-kuex-y3a3
27
vulnerability VCID-hpf3-3z3m-6ydt
28
vulnerability VCID-j6uh-kx6m-sydp
29
vulnerability VCID-jrwf-mt69-1ydt
30
vulnerability VCID-kb4a-mm13-63bj
31
vulnerability VCID-kgfb-yphg-n3ec
32
vulnerability VCID-kjw8-c6cn-3kee
33
vulnerability VCID-nfbc-tutd-37bw
34
vulnerability VCID-p42d-ta7v-7yhn
35
vulnerability VCID-pb3b-22wk-pbh5
36
vulnerability VCID-pmtw-nwnc-nyfw
37
vulnerability VCID-pqgj-ry81-6ua3
38
vulnerability VCID-qxnw-7urw-fud2
39
vulnerability VCID-rysu-xhvt-yqda
40
vulnerability VCID-s49h-br5r-5yh8
41
vulnerability VCID-tpjn-4kru-vucv
42
vulnerability VCID-vj7z-pmk3-cydg
43
vulnerability VCID-vras-f42j-xqfg
44
vulnerability VCID-vy44-rbar-w3fn
45
vulnerability VCID-w8ff-8479-rbfq
46
vulnerability VCID-xwza-guvs-83a9
47
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1
aliases CVE-2021-26697, GHSA-fh37-cx83-q542, PYSEC-2021-3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ms13-tzaa-hkej
42
url VCID-nfbc-tutd-37bw
vulnerability_id VCID-nfbc-tutd-37bw
summary 
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.
This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.
Users are recommended to upgrade to 2.8.0, which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929
2
reference_url https://github.com/apache/airflow/pull/33932
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://github.com/apache/airflow/pull/33932
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml
4
reference_url https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn
5
reference_url http://www.openwall.com/lists/oss-security/2023/12/21/4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url http://www.openwall.com/lists/oss-security/2023/12/21/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50783
reference_id CVE-2023-50783
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50783
7
reference_url https://github.com/advisories/GHSA-5938-79hg-xh3q
reference_id GHSA-5938-79hg-xh3q
reference_type
scores
url https://github.com/advisories/GHSA-5938-79hg-xh3q
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.0
purl pkg:pypi/apache-airflow@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-4u8d-ezsr-sqcz
2
vulnerability VCID-82p8-yujf-hkdd
3
vulnerability VCID-8m3p-yzr8-yyhj
4
vulnerability VCID-arbk-dryb-qkda
5
vulnerability VCID-hpf3-3z3m-6ydt
6
vulnerability VCID-j6uh-kx6m-sydp
7
vulnerability VCID-k4r8-a72h-fkdf
8
vulnerability VCID-kb4a-mm13-63bj
9
vulnerability VCID-mbgq-fq5n-kufh
10
vulnerability VCID-tpjn-4kru-vucv
11
vulnerability VCID-vras-f42j-xqfg
12
vulnerability VCID-w8ff-8479-rbfq
13
vulnerability VCID-xwza-guvs-83a9
14
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0
aliases CVE-2023-50783, GHSA-5938-79hg-xh3q, PYSEC-2023-267
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nfbc-tutd-37bw
43
url VCID-p42d-ta7v-7yhn
vulnerability_id VCID-p42d-ta7v-7yhn
summary In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.
references
0
reference_url https://github.com/advisories/GHSA-q8h9-pqcx-59hw
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-q8h9-pqcx-59hw
1
reference_url https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv
reference_id
reference_type
scores
url https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv
2
reference_url http://www.openwall.com/lists/oss-security/2022/09/02/12
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/09/02/12
3
reference_url http://www.openwall.com/lists/oss-security/2022/09/02/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/09/02/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.3.4
purl pkg:pypi/apache-airflow@2.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-ctd9-hxfn-8fcs
15
vulnerability VCID-d3kc-fn21-xqar
16
vulnerability VCID-dk1y-938p-k3bv
17
vulnerability VCID-e19b-adrm-x7fu
18
vulnerability VCID-fctg-457f-4uae
19
vulnerability VCID-fnsx-gtgn-27dr
20
vulnerability VCID-hgq2-kuex-y3a3
21
vulnerability VCID-hpf3-3z3m-6ydt
22
vulnerability VCID-j6uh-kx6m-sydp
23
vulnerability VCID-k7ea-m9cw-w3fz
24
vulnerability VCID-kb4a-mm13-63bj
25
vulnerability VCID-kgfb-yphg-n3ec
26
vulnerability VCID-nfbc-tutd-37bw
27
vulnerability VCID-pb3b-22wk-pbh5
28
vulnerability VCID-pmtw-nwnc-nyfw
29
vulnerability VCID-pqgj-ry81-6ua3
30
vulnerability VCID-qxnw-7urw-fud2
31
vulnerability VCID-rysu-xhvt-yqda
32
vulnerability VCID-s49h-br5r-5yh8
33
vulnerability VCID-swav-nrrn-wbcs
34
vulnerability VCID-tpjn-4kru-vucv
35
vulnerability VCID-vj7z-pmk3-cydg
36
vulnerability VCID-vras-f42j-xqfg
37
vulnerability VCID-vy44-rbar-w3fn
38
vulnerability VCID-w8ff-8479-rbfq
39
vulnerability VCID-xwza-guvs-83a9
40
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.4
aliases CVE-2022-38170, GHSA-q8h9-pqcx-59hw, PYSEC-2022-261
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p42d-ta7v-7yhn
44
url VCID-pb3b-22wk-pbh5
vulnerability_id VCID-pb3b-22wk-pbh5
summary 
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0

This issue affects Apache Airflow: before 2.6.0.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8
2
reference_url https://github.com/apache/airflow/pull/29706
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/29706
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml
4
reference_url https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15
reference_id
reference_type
scores
url https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-39508
reference_id CVE-2023-39508
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-39508
6
reference_url https://github.com/advisories/GHSA-269x-pg5c-5xgm
reference_id GHSA-269x-pg5c-5xgm
reference_type
scores
url https://github.com/advisories/GHSA-269x-pg5c-5xgm
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.0b1
purl pkg:pypi/apache-airflow@2.6.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-1tvn-y85f-jkb9
4
vulnerability VCID-2q7x-bua5-37h7
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-7z8j-8f4d-53dm
8
vulnerability VCID-82p8-yujf-hkdd
9
vulnerability VCID-8m3p-yzr8-yyhj
10
vulnerability VCID-8npr-rvfd-jkfj
11
vulnerability VCID-8ykk-1kak-6bfd
12
vulnerability VCID-arbk-dryb-qkda
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-kgfb-yphg-n3ec
21
vulnerability VCID-mbgq-fq5n-kufh
22
vulnerability VCID-nfbc-tutd-37bw
23
vulnerability VCID-pb3b-22wk-pbh5
24
vulnerability VCID-pmtw-nwnc-nyfw
25
vulnerability VCID-rysu-xhvt-yqda
26
vulnerability VCID-s49h-br5r-5yh8
27
vulnerability VCID-tpjn-4kru-vucv
28
vulnerability VCID-vj7z-pmk3-cydg
29
vulnerability VCID-vras-f42j-xqfg
30
vulnerability VCID-vy44-rbar-w3fn
31
vulnerability VCID-w8ff-8479-rbfq
32
vulnerability VCID-xwza-guvs-83a9
33
vulnerability VCID-yrx8-dtav-83av
34
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1
1
url pkg:pypi/apache-airflow@2.6.0
purl pkg:pypi/apache-airflow@2.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-1tvn-y85f-jkb9
4
vulnerability VCID-2q7x-bua5-37h7
5
vulnerability VCID-4u8d-ezsr-sqcz
6
vulnerability VCID-7z8j-8f4d-53dm
7
vulnerability VCID-82p8-yujf-hkdd
8
vulnerability VCID-8m3p-yzr8-yyhj
9
vulnerability VCID-8npr-rvfd-jkfj
10
vulnerability VCID-8ykk-1kak-6bfd
11
vulnerability VCID-arbk-dryb-qkda
12
vulnerability VCID-cxqa-pqca-pqgc
13
vulnerability VCID-d3kc-fn21-xqar
14
vulnerability VCID-dk1y-938p-k3bv
15
vulnerability VCID-fctg-457f-4uae
16
vulnerability VCID-hgq2-kuex-y3a3
17
vulnerability VCID-hpf3-3z3m-6ydt
18
vulnerability VCID-j6uh-kx6m-sydp
19
vulnerability VCID-kb4a-mm13-63bj
20
vulnerability VCID-mbgq-fq5n-kufh
21
vulnerability VCID-nfbc-tutd-37bw
22
vulnerability VCID-pmtw-nwnc-nyfw
23
vulnerability VCID-rysu-xhvt-yqda
24
vulnerability VCID-s49h-br5r-5yh8
25
vulnerability VCID-tpjn-4kru-vucv
26
vulnerability VCID-vj7z-pmk3-cydg
27
vulnerability VCID-vras-f42j-xqfg
28
vulnerability VCID-vy44-rbar-w3fn
29
vulnerability VCID-w8ff-8479-rbfq
30
vulnerability VCID-xwza-guvs-83a9
31
vulnerability VCID-yrx8-dtav-83av
32
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0
aliases CVE-2023-39508, GHSA-269x-pg5c-5xgm, PYSEC-2023-134
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pb3b-22wk-pbh5
45
url VCID-pmtw-nwnc-nyfw
vulnerability_id VCID-pmtw-nwnc-nyfw
summary 
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/34366
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://github.com/apache/airflow/pull/34366
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml
3
reference_url https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42792
reference_id CVE-2023-42792
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42792
5
reference_url https://github.com/advisories/GHSA-j3w8-2p2h-mrr9
reference_id GHSA-j3w8-2p2h-mrr9
reference_type
scores
url https://github.com/advisories/GHSA-j3w8-2p2h-mrr9
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.2
purl pkg:pypi/apache-airflow@2.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-4u8d-ezsr-sqcz
3
vulnerability VCID-82p8-yujf-hkdd
4
vulnerability VCID-8m3p-yzr8-yyhj
5
vulnerability VCID-arbk-dryb-qkda
6
vulnerability VCID-cxqa-pqca-pqgc
7
vulnerability VCID-fctg-457f-4uae
8
vulnerability VCID-hpf3-3z3m-6ydt
9
vulnerability VCID-j6uh-kx6m-sydp
10
vulnerability VCID-kb4a-mm13-63bj
11
vulnerability VCID-mbgq-fq5n-kufh
12
vulnerability VCID-nfbc-tutd-37bw
13
vulnerability VCID-rysu-xhvt-yqda
14
vulnerability VCID-tpjn-4kru-vucv
15
vulnerability VCID-unq1-wwfg-6ydk
16
vulnerability VCID-vras-f42j-xqfg
17
vulnerability VCID-w8ff-8479-rbfq
18
vulnerability VCID-xwza-guvs-83a9
19
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2
aliases CVE-2023-42792, GHSA-j3w8-2p2h-mrr9, PYSEC-2023-203
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pmtw-nwnc-nyfw
46
url VCID-pqgj-ry81-6ua3
vulnerability_id VCID-pqgj-ry81-6ua3
summary In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
references
0
reference_url https://github.com/apache/airflow/pull/27143
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/27143
1
reference_url https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq
reference_id
reference_type
scores
url https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.2
purl pkg:pypi/apache-airflow@2.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-d3kc-fn21-xqar
15
vulnerability VCID-dk1y-938p-k3bv
16
vulnerability VCID-e19b-adrm-x7fu
17
vulnerability VCID-fctg-457f-4uae
18
vulnerability VCID-hgq2-kuex-y3a3
19
vulnerability VCID-hpf3-3z3m-6ydt
20
vulnerability VCID-j6uh-kx6m-sydp
21
vulnerability VCID-kb4a-mm13-63bj
22
vulnerability VCID-kgfb-yphg-n3ec
23
vulnerability VCID-mbgq-fq5n-kufh
24
vulnerability VCID-nfbc-tutd-37bw
25
vulnerability VCID-pb3b-22wk-pbh5
26
vulnerability VCID-pmtw-nwnc-nyfw
27
vulnerability VCID-rysu-xhvt-yqda
28
vulnerability VCID-s49h-br5r-5yh8
29
vulnerability VCID-tpjn-4kru-vucv
30
vulnerability VCID-vj7z-pmk3-cydg
31
vulnerability VCID-vras-f42j-xqfg
32
vulnerability VCID-vy44-rbar-w3fn
33
vulnerability VCID-w8ff-8479-rbfq
34
vulnerability VCID-xwza-guvs-83a9
35
vulnerability VCID-yrx8-dtav-83av
36
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2
aliases CVE-2022-43985, PYSEC-2022-42971
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pqgj-ry81-6ua3
47
url VCID-qxnw-7urw-fud2
vulnerability_id VCID-qxnw-7urw-fud2
summary In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
references
0
reference_url https://github.com/apache/airflow/pull/27143
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/27143
1
reference_url https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l
reference_id
reference_type
scores
url https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.2
purl pkg:pypi/apache-airflow@2.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-4693-xwwu-7uem
5
vulnerability VCID-4btd-59ga-1yd4
6
vulnerability VCID-4u8d-ezsr-sqcz
7
vulnerability VCID-5ph5-s3qc-guf4
8
vulnerability VCID-7z8j-8f4d-53dm
9
vulnerability VCID-82p8-yujf-hkdd
10
vulnerability VCID-8m3p-yzr8-yyhj
11
vulnerability VCID-8npr-rvfd-jkfj
12
vulnerability VCID-8ykk-1kak-6bfd
13
vulnerability VCID-arbk-dryb-qkda
14
vulnerability VCID-d3kc-fn21-xqar
15
vulnerability VCID-dk1y-938p-k3bv
16
vulnerability VCID-e19b-adrm-x7fu
17
vulnerability VCID-fctg-457f-4uae
18
vulnerability VCID-hgq2-kuex-y3a3
19
vulnerability VCID-hpf3-3z3m-6ydt
20
vulnerability VCID-j6uh-kx6m-sydp
21
vulnerability VCID-kb4a-mm13-63bj
22
vulnerability VCID-kgfb-yphg-n3ec
23
vulnerability VCID-mbgq-fq5n-kufh
24
vulnerability VCID-nfbc-tutd-37bw
25
vulnerability VCID-pb3b-22wk-pbh5
26
vulnerability VCID-pmtw-nwnc-nyfw
27
vulnerability VCID-rysu-xhvt-yqda
28
vulnerability VCID-s49h-br5r-5yh8
29
vulnerability VCID-tpjn-4kru-vucv
30
vulnerability VCID-vj7z-pmk3-cydg
31
vulnerability VCID-vras-f42j-xqfg
32
vulnerability VCID-vy44-rbar-w3fn
33
vulnerability VCID-w8ff-8479-rbfq
34
vulnerability VCID-xwza-guvs-83a9
35
vulnerability VCID-yrx8-dtav-83av
36
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2
aliases CVE-2022-43982, PYSEC-2022-42970
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qxnw-7urw-fud2
48
url VCID-rysu-xhvt-yqda
vulnerability_id VCID-rysu-xhvt-yqda
summary 
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.

This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 

Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c
2
reference_url https://github.com/apache/airflow/pull/34366
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://github.com/apache/airflow/pull/34366
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml
4
reference_url https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3
5
reference_url http://www.openwall.com/lists/oss-security/2023/12/21/1
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url http://www.openwall.com/lists/oss-security/2023/12/21/1
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48291
reference_id CVE-2023-48291
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-48291
7
reference_url https://github.com/advisories/GHSA-8f57-wcmg-4jmh
reference_id GHSA-8f57-wcmg-4jmh
reference_type
scores
url https://github.com/advisories/GHSA-8f57-wcmg-4jmh
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.0
purl pkg:pypi/apache-airflow@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-4u8d-ezsr-sqcz
2
vulnerability VCID-82p8-yujf-hkdd
3
vulnerability VCID-8m3p-yzr8-yyhj
4
vulnerability VCID-arbk-dryb-qkda
5
vulnerability VCID-hpf3-3z3m-6ydt
6
vulnerability VCID-j6uh-kx6m-sydp
7
vulnerability VCID-k4r8-a72h-fkdf
8
vulnerability VCID-kb4a-mm13-63bj
9
vulnerability VCID-mbgq-fq5n-kufh
10
vulnerability VCID-tpjn-4kru-vucv
11
vulnerability VCID-vras-f42j-xqfg
12
vulnerability VCID-w8ff-8479-rbfq
13
vulnerability VCID-xwza-guvs-83a9
14
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0
aliases CVE-2023-48291, GHSA-8f57-wcmg-4jmh, PYSEC-2023-265
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rysu-xhvt-yqda
49
url VCID-s49h-br5r-5yh8
vulnerability_id VCID-s49h-br5r-5yh8
summary 
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.

Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e
2
reference_url https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148
3
reference_url https://github.com/apache/airflow/pull/33512
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33512
4
reference_url https://github.com/apache/airflow/pull/33516
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33516
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml
6
reference_url https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
reference_id
reference_type
scores
url https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40712
reference_id CVE-2023-40712
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40712
8
reference_url https://github.com/advisories/GHSA-mjqh-v5f2-g2mw
reference_id GHSA-mjqh-v5f2-g2mw
reference_type
scores
url https://github.com/advisories/GHSA-mjqh-v5f2-g2mw
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.1
purl pkg:pypi/apache-airflow@2.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-4u8d-ezsr-sqcz
3
vulnerability VCID-63fw-ggbk-9ycy
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8ykk-1kak-6bfd
7
vulnerability VCID-arbk-dryb-qkda
8
vulnerability VCID-cxqa-pqca-pqgc
9
vulnerability VCID-fctg-457f-4uae
10
vulnerability VCID-hgq2-kuex-y3a3
11
vulnerability VCID-hpf3-3z3m-6ydt
12
vulnerability VCID-j6uh-kx6m-sydp
13
vulnerability VCID-kb4a-mm13-63bj
14
vulnerability VCID-mbgq-fq5n-kufh
15
vulnerability VCID-nfbc-tutd-37bw
16
vulnerability VCID-pmtw-nwnc-nyfw
17
vulnerability VCID-rysu-xhvt-yqda
18
vulnerability VCID-tpjn-4kru-vucv
19
vulnerability VCID-unq1-wwfg-6ydk
20
vulnerability VCID-vras-f42j-xqfg
21
vulnerability VCID-w8ff-8479-rbfq
22
vulnerability VCID-xwza-guvs-83a9
23
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1
aliases CVE-2023-40712, GHSA-mjqh-v5f2-g2mw, PYSEC-2023-171
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s49h-br5r-5yh8
50
url VCID-ssbp-gvfd-2kef
vulnerability_id VCID-ssbp-gvfd-2kef
summary Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.
references
0
reference_url https://github.com/advisories/GHSA-ffw3-6mp6-jmvj
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-ffw3-6mp6-jmvj
1
reference_url https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
2
reference_url https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E
3
reference_url http://www.openwall.com/lists/oss-security/2021/02/17/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/02/17/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.1
purl pkg:pypi/apache-airflow@2.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-arbk-dryb-qkda
17
vulnerability VCID-ctd9-hxfn-8fcs
18
vulnerability VCID-d3kc-fn21-xqar
19
vulnerability VCID-dk1y-938p-k3bv
20
vulnerability VCID-e19b-adrm-x7fu
21
vulnerability VCID-fctg-457f-4uae
22
vulnerability VCID-fnsx-gtgn-27dr
23
vulnerability VCID-gbgf-jfzt-tqg1
24
vulnerability VCID-gg94-fdbv-y7g1
25
vulnerability VCID-gt7b-5554-y7dq
26
vulnerability VCID-hgq2-kuex-y3a3
27
vulnerability VCID-hpf3-3z3m-6ydt
28
vulnerability VCID-j6uh-kx6m-sydp
29
vulnerability VCID-jrwf-mt69-1ydt
30
vulnerability VCID-kb4a-mm13-63bj
31
vulnerability VCID-kgfb-yphg-n3ec
32
vulnerability VCID-kjw8-c6cn-3kee
33
vulnerability VCID-nfbc-tutd-37bw
34
vulnerability VCID-p42d-ta7v-7yhn
35
vulnerability VCID-pb3b-22wk-pbh5
36
vulnerability VCID-pmtw-nwnc-nyfw
37
vulnerability VCID-pqgj-ry81-6ua3
38
vulnerability VCID-qxnw-7urw-fud2
39
vulnerability VCID-rysu-xhvt-yqda
40
vulnerability VCID-s49h-br5r-5yh8
41
vulnerability VCID-tpjn-4kru-vucv
42
vulnerability VCID-vj7z-pmk3-cydg
43
vulnerability VCID-vras-f42j-xqfg
44
vulnerability VCID-vy44-rbar-w3fn
45
vulnerability VCID-w8ff-8479-rbfq
46
vulnerability VCID-xwza-guvs-83a9
47
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1
aliases CVE-2021-26559, GHSA-ffw3-6mp6-jmvj, PYSEC-2021-2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ssbp-gvfd-2kef
51
url VCID-syqv-6kj7-j3e5
vulnerability_id VCID-syqv-6kj7-j3e5
summary An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-11978
reference_id
reference_type
scores
0
value 0.94272
scoring_system epss
scoring_elements 0.9994
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-11978
1
reference_url https://github.com/advisories/GHSA-rvmq-4x66-q7j3
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-rvmq-4x66-q7j3
2
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5ufe-1rrj-rkgp
12
vulnerability VCID-6hxm-nnhg-buex
13
vulnerability VCID-7z8j-8f4d-53dm
14
vulnerability VCID-82p8-yujf-hkdd
15
vulnerability VCID-8m3p-yzr8-yyhj
16
vulnerability VCID-8npr-rvfd-jkfj
17
vulnerability VCID-8ykk-1kak-6bfd
18
vulnerability VCID-9f34-2r5y-sydz
19
vulnerability VCID-arbk-dryb-qkda
20
vulnerability VCID-bn9u-brjp-yudy
21
vulnerability VCID-ctd9-hxfn-8fcs
22
vulnerability VCID-d3kc-fn21-xqar
23
vulnerability VCID-dk1y-938p-k3bv
24
vulnerability VCID-e19b-adrm-x7fu
25
vulnerability VCID-fctg-457f-4uae
26
vulnerability VCID-fnsx-gtgn-27dr
27
vulnerability VCID-gbgf-jfzt-tqg1
28
vulnerability VCID-gg94-fdbv-y7g1
29
vulnerability VCID-gt7b-5554-y7dq
30
vulnerability VCID-hgq2-kuex-y3a3
31
vulnerability VCID-hpf3-3z3m-6ydt
32
vulnerability VCID-j6uh-kx6m-sydp
33
vulnerability VCID-jrwf-mt69-1ydt
34
vulnerability VCID-kb4a-mm13-63bj
35
vulnerability VCID-kgfb-yphg-n3ec
36
vulnerability VCID-krjr-ctw4-r3d3
37
vulnerability VCID-ms13-tzaa-hkej
38
vulnerability VCID-nfbc-tutd-37bw
39
vulnerability VCID-p42d-ta7v-7yhn
40
vulnerability VCID-pb3b-22wk-pbh5
41
vulnerability VCID-pmtw-nwnc-nyfw
42
vulnerability VCID-pqgj-ry81-6ua3
43
vulnerability VCID-qxnw-7urw-fud2
44
vulnerability VCID-rysu-xhvt-yqda
45
vulnerability VCID-s49h-br5r-5yh8
46
vulnerability VCID-ssbp-gvfd-2kef
47
vulnerability VCID-tcjg-f9cn-mubj
48
vulnerability VCID-tpjn-4kru-vucv
49
vulnerability VCID-vj7z-pmk3-cydg
50
vulnerability VCID-vras-f42j-xqfg
51
vulnerability VCID-vy44-rbar-w3fn
52
vulnerability VCID-w8ff-8479-rbfq
53
vulnerability VCID-xwza-guvs-83a9
54
vulnerability VCID-ygjc-77t9-yfge
55
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
aliases CVE-2020-11978, GHSA-rvmq-4x66-q7j3, PYSEC-2020-14
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-syqv-6kj7-j3e5
52
url VCID-tcjg-f9cn-mubj
vulnerability_id VCID-tcjg-f9cn-mubj
summary The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-17515
reference_id
reference_type
scores
0
value 0.10185
scoring_system epss
scoring_elements 0.93251
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-17515
1
reference_url https://github.com/advisories/GHSA-86vp-x3pr-79rx
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-86vp-x3pr-79rx
2
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
3
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
4
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
5
reference_url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
6
reference_url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
9
reference_url http://www.openwall.com/lists/oss-security/2020/12/11/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/12/11/2
10
reference_url http://www.openwall.com/lists/oss-security/2021/05/01/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/05/01/2
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.13
purl pkg:pypi/apache-airflow@1.10.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-9f34-2r5y-sydz
17
vulnerability VCID-arbk-dryb-qkda
18
vulnerability VCID-bn9u-brjp-yudy
19
vulnerability VCID-ctd9-hxfn-8fcs
20
vulnerability VCID-d3kc-fn21-xqar
21
vulnerability VCID-dk1y-938p-k3bv
22
vulnerability VCID-e19b-adrm-x7fu
23
vulnerability VCID-fctg-457f-4uae
24
vulnerability VCID-fnsx-gtgn-27dr
25
vulnerability VCID-gbgf-jfzt-tqg1
26
vulnerability VCID-gg94-fdbv-y7g1
27
vulnerability VCID-gt7b-5554-y7dq
28
vulnerability VCID-hgq2-kuex-y3a3
29
vulnerability VCID-hpf3-3z3m-6ydt
30
vulnerability VCID-j6uh-kx6m-sydp
31
vulnerability VCID-jrwf-mt69-1ydt
32
vulnerability VCID-kb4a-mm13-63bj
33
vulnerability VCID-kgfb-yphg-n3ec
34
vulnerability VCID-ms13-tzaa-hkej
35
vulnerability VCID-nfbc-tutd-37bw
36
vulnerability VCID-p42d-ta7v-7yhn
37
vulnerability VCID-pb3b-22wk-pbh5
38
vulnerability VCID-pmtw-nwnc-nyfw
39
vulnerability VCID-pqgj-ry81-6ua3
40
vulnerability VCID-qxnw-7urw-fud2
41
vulnerability VCID-rysu-xhvt-yqda
42
vulnerability VCID-s49h-br5r-5yh8
43
vulnerability VCID-ssbp-gvfd-2kef
44
vulnerability VCID-tpjn-4kru-vucv
45
vulnerability VCID-vj7z-pmk3-cydg
46
vulnerability VCID-vras-f42j-xqfg
47
vulnerability VCID-vy44-rbar-w3fn
48
vulnerability VCID-w8ff-8479-rbfq
49
vulnerability VCID-xwza-guvs-83a9
50
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13
aliases CVE-2020-17515, GHSA-86vp-x3pr-79rx, PYSEC-2020-21
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tcjg-f9cn-mubj
53
url VCID-tpjn-4kru-vucv
vulnerability_id VCID-tpjn-4kru-vucv
summary In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/63028
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/63028
1
reference_url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/04/17/5
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-30912, PYSEC-2026-18
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tpjn-4kru-vucv
54
url VCID-vj7z-pmk3-cydg
vulnerability_id VCID-vj7z-pmk3-cydg
summary 
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603
2
reference_url https://github.com/apache/airflow/pull/32052
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
url https://github.com/apache/airflow/pull/32052
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml
4
reference_url https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
url https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r
5
reference_url http://www.openwall.com/lists/oss-security/2023/08/23/4
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
url http://www.openwall.com/lists/oss-security/2023/08/23/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37379
reference_id CVE-2023-37379
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-37379
7
reference_url https://github.com/advisories/GHSA-x2mh-8fmc-rqgh
reference_id GHSA-x2mh-8fmc-rqgh
reference_type
scores
url https://github.com/advisories/GHSA-x2mh-8fmc-rqgh
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.0b1
purl pkg:pypi/apache-airflow@2.7.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-vj7z-pmk3-cydg
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
26
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0b1
1
url pkg:pypi/apache-airflow@2.7.0
purl pkg:pypi/apache-airflow@2.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-63fw-ggbk-9ycy
5
vulnerability VCID-82p8-yujf-hkdd
6
vulnerability VCID-8m3p-yzr8-yyhj
7
vulnerability VCID-8npr-rvfd-jkfj
8
vulnerability VCID-8ykk-1kak-6bfd
9
vulnerability VCID-arbk-dryb-qkda
10
vulnerability VCID-cxqa-pqca-pqgc
11
vulnerability VCID-fctg-457f-4uae
12
vulnerability VCID-g9j4-fhpm-uuba
13
vulnerability VCID-hgq2-kuex-y3a3
14
vulnerability VCID-hpf3-3z3m-6ydt
15
vulnerability VCID-j6uh-kx6m-sydp
16
vulnerability VCID-kb4a-mm13-63bj
17
vulnerability VCID-mbgq-fq5n-kufh
18
vulnerability VCID-nfbc-tutd-37bw
19
vulnerability VCID-pmtw-nwnc-nyfw
20
vulnerability VCID-rysu-xhvt-yqda
21
vulnerability VCID-s49h-br5r-5yh8
22
vulnerability VCID-tpjn-4kru-vucv
23
vulnerability VCID-unq1-wwfg-6ydk
24
vulnerability VCID-vras-f42j-xqfg
25
vulnerability VCID-w8ff-8479-rbfq
26
vulnerability VCID-xwza-guvs-83a9
27
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0
aliases CVE-2023-37379, GHSA-x2mh-8fmc-rqgh, PYSEC-2023-152
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vj7z-pmk3-cydg
55
url VCID-vras-f42j-xqfg
vulnerability_id VCID-vras-f42j-xqfg
summary 
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/59688
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/59688
2
reference_url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
3
reference_url http://www.openwall.com/lists/oss-security/2026/01/15/6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/01/15/6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
reference_id CVE-2025-68675
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
5
reference_url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
reference_id GHSA-7c2f-r6gc-h92h
reference_type
scores
url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
fixed_packages
0
url pkg:pypi/apache-airflow@2.11.1
purl pkg:pypi/apache-airflow@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-j6uh-kx6m-sydp
2
vulnerability VCID-tpjn-4kru-vucv
3
vulnerability VCID-vras-f42j-xqfg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1
1
url pkg:pypi/apache-airflow@3.1.6
purl pkg:pypi/apache-airflow@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9x6r-5m59-yyap
1
vulnerability VCID-bv7f-s53t-uqe4
2
vulnerability VCID-g8pv-cam5-d7dj
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-kmz1-dm9f-d7hj
5
vulnerability VCID-m3ff-jty5-3uhw
6
vulnerability VCID-nrc9-bdc2-dfes
7
vulnerability VCID-pvh4-3wng-ekdq
8
vulnerability VCID-tj2m-5j3f-5ueq
9
vulnerability VCID-tpjn-4kru-vucv
10
vulnerability VCID-vwv4-7y7y-9fcj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6
aliases CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vras-f42j-xqfg
56
url VCID-vy44-rbar-w3fn
vulnerability_id VCID-vy44-rbar-w3fn
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db
2
reference_url https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352
3
reference_url https://github.com/apache/airflow/pull/32014
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32014
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml
5
reference_url https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw
reference_id
reference_type
scores
url https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-35908
reference_id CVE-2023-35908
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-35908
7
reference_url https://github.com/advisories/GHSA-2h84-3crq-vgfj
reference_id GHSA-2h84-3crq-vgfj
reference_type
scores
url https://github.com/advisories/GHSA-2h84-3crq-vgfj
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-2q7x-bua5-37h7
3
vulnerability VCID-4u8d-ezsr-sqcz
4
vulnerability VCID-82p8-yujf-hkdd
5
vulnerability VCID-8m3p-yzr8-yyhj
6
vulnerability VCID-8npr-rvfd-jkfj
7
vulnerability VCID-8ykk-1kak-6bfd
8
vulnerability VCID-arbk-dryb-qkda
9
vulnerability VCID-cxqa-pqca-pqgc
10
vulnerability VCID-fctg-457f-4uae
11
vulnerability VCID-hgq2-kuex-y3a3
12
vulnerability VCID-hpf3-3z3m-6ydt
13
vulnerability VCID-j6uh-kx6m-sydp
14
vulnerability VCID-kb4a-mm13-63bj
15
vulnerability VCID-mbgq-fq5n-kufh
16
vulnerability VCID-nfbc-tutd-37bw
17
vulnerability VCID-pmtw-nwnc-nyfw
18
vulnerability VCID-rysu-xhvt-yqda
19
vulnerability VCID-s49h-br5r-5yh8
20
vulnerability VCID-tpjn-4kru-vucv
21
vulnerability VCID-vj7z-pmk3-cydg
22
vulnerability VCID-vras-f42j-xqfg
23
vulnerability VCID-w8ff-8479-rbfq
24
vulnerability VCID-xwza-guvs-83a9
25
vulnerability VCID-yrx8-dtav-83av
26
vulnerability VCID-z5b8-kcbh-m7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-35908, GHSA-2h84-3crq-vgfj, PYSEC-2023-119
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vy44-rbar-w3fn
57
url VCID-w8ff-8479-rbfq
vulnerability_id VCID-w8ff-8479-rbfq
summary 
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. 
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/41672
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/41672
1
reference_url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
reference_id
reference_type
scores
url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
2
reference_url http://www.openwall.com/lists/oss-security/2024/09/06/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/09/06/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.1
purl pkg:pypi/apache-airflow@2.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-j6uh-kx6m-sydp
2
vulnerability VCID-kb4a-mm13-63bj
3
vulnerability VCID-tpjn-4kru-vucv
4
vulnerability VCID-vras-f42j-xqfg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1
aliases CVE-2024-45034, PYSEC-2024-212
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w8ff-8479-rbfq
58
url VCID-xwza-guvs-83a9
vulnerability_id VCID-xwza-guvs-83a9
summary Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow/pull/40475
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://github.com/apache/airflow/pull/40475
1
reference_url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
2
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/6
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url http://www.openwall.com/lists/oss-security/2024/07/16/6
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.3
purl pkg:pypi/apache-airflow@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-8m3p-yzr8-yyhj
2
vulnerability VCID-j6uh-kx6m-sydp
3
vulnerability VCID-kb4a-mm13-63bj
4
vulnerability VCID-tpjn-4kru-vucv
5
vulnerability VCID-vras-f42j-xqfg
6
vulnerability VCID-w8ff-8479-rbfq
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3
aliases CVE-2024-39863, PYSEC-2024-189
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xwza-guvs-83a9
59
url VCID-ygjc-77t9-yfge
vulnerability_id VCID-ygjc-77t9-yfge
summary In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-17511
reference_id
reference_type
scores
0
value 0.00487
scoring_system epss
scoring_elements 0.65749
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-17511
1
reference_url https://github.com/advisories/GHSA-cvcq-gmc3-q6m8
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-cvcq-gmc3-q6m8
2
reference_url https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.13
purl pkg:pypi/apache-airflow@1.10.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-37nw-x186-puds
5
vulnerability VCID-4693-xwwu-7uem
6
vulnerability VCID-4btd-59ga-1yd4
7
vulnerability VCID-4u8d-ezsr-sqcz
8
vulnerability VCID-5ph5-s3qc-guf4
9
vulnerability VCID-5ufe-1rrj-rkgp
10
vulnerability VCID-6hxm-nnhg-buex
11
vulnerability VCID-7z8j-8f4d-53dm
12
vulnerability VCID-82p8-yujf-hkdd
13
vulnerability VCID-8m3p-yzr8-yyhj
14
vulnerability VCID-8npr-rvfd-jkfj
15
vulnerability VCID-8ykk-1kak-6bfd
16
vulnerability VCID-9f34-2r5y-sydz
17
vulnerability VCID-arbk-dryb-qkda
18
vulnerability VCID-bn9u-brjp-yudy
19
vulnerability VCID-ctd9-hxfn-8fcs
20
vulnerability VCID-d3kc-fn21-xqar
21
vulnerability VCID-dk1y-938p-k3bv
22
vulnerability VCID-e19b-adrm-x7fu
23
vulnerability VCID-fctg-457f-4uae
24
vulnerability VCID-fnsx-gtgn-27dr
25
vulnerability VCID-gbgf-jfzt-tqg1
26
vulnerability VCID-gg94-fdbv-y7g1
27
vulnerability VCID-gt7b-5554-y7dq
28
vulnerability VCID-hgq2-kuex-y3a3
29
vulnerability VCID-hpf3-3z3m-6ydt
30
vulnerability VCID-j6uh-kx6m-sydp
31
vulnerability VCID-jrwf-mt69-1ydt
32
vulnerability VCID-kb4a-mm13-63bj
33
vulnerability VCID-kgfb-yphg-n3ec
34
vulnerability VCID-ms13-tzaa-hkej
35
vulnerability VCID-nfbc-tutd-37bw
36
vulnerability VCID-p42d-ta7v-7yhn
37
vulnerability VCID-pb3b-22wk-pbh5
38
vulnerability VCID-pmtw-nwnc-nyfw
39
vulnerability VCID-pqgj-ry81-6ua3
40
vulnerability VCID-qxnw-7urw-fud2
41
vulnerability VCID-rysu-xhvt-yqda
42
vulnerability VCID-s49h-br5r-5yh8
43
vulnerability VCID-ssbp-gvfd-2kef
44
vulnerability VCID-tpjn-4kru-vucv
45
vulnerability VCID-vj7z-pmk3-cydg
46
vulnerability VCID-vras-f42j-xqfg
47
vulnerability VCID-vy44-rbar-w3fn
48
vulnerability VCID-w8ff-8479-rbfq
49
vulnerability VCID-xwza-guvs-83a9
50
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13
aliases CVE-2020-17511, GHSA-cvcq-gmc3-q6m8, PYSEC-2020-262
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ygjc-77t9-yfge
60
url VCID-ykge-bnhg-g7c4
vulnerability_id VCID-ykge-bnhg-g7c4
summary An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-11982
reference_id
reference_type
scores
0
value 0.05664
scoring_system epss
scoring_elements 0.90516
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-11982
1
reference_url https://github.com/advisories/GHSA-9g2w-5f3v-mfmm
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-9g2w-5f3v-mfmm
2
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5ufe-1rrj-rkgp
12
vulnerability VCID-6hxm-nnhg-buex
13
vulnerability VCID-7z8j-8f4d-53dm
14
vulnerability VCID-82p8-yujf-hkdd
15
vulnerability VCID-8m3p-yzr8-yyhj
16
vulnerability VCID-8npr-rvfd-jkfj
17
vulnerability VCID-8ykk-1kak-6bfd
18
vulnerability VCID-9f34-2r5y-sydz
19
vulnerability VCID-arbk-dryb-qkda
20
vulnerability VCID-bn9u-brjp-yudy
21
vulnerability VCID-ctd9-hxfn-8fcs
22
vulnerability VCID-d3kc-fn21-xqar
23
vulnerability VCID-dk1y-938p-k3bv
24
vulnerability VCID-e19b-adrm-x7fu
25
vulnerability VCID-fctg-457f-4uae
26
vulnerability VCID-fnsx-gtgn-27dr
27
vulnerability VCID-gbgf-jfzt-tqg1
28
vulnerability VCID-gg94-fdbv-y7g1
29
vulnerability VCID-gt7b-5554-y7dq
30
vulnerability VCID-hgq2-kuex-y3a3
31
vulnerability VCID-hpf3-3z3m-6ydt
32
vulnerability VCID-j6uh-kx6m-sydp
33
vulnerability VCID-jrwf-mt69-1ydt
34
vulnerability VCID-kb4a-mm13-63bj
35
vulnerability VCID-kgfb-yphg-n3ec
36
vulnerability VCID-krjr-ctw4-r3d3
37
vulnerability VCID-ms13-tzaa-hkej
38
vulnerability VCID-nfbc-tutd-37bw
39
vulnerability VCID-p42d-ta7v-7yhn
40
vulnerability VCID-pb3b-22wk-pbh5
41
vulnerability VCID-pmtw-nwnc-nyfw
42
vulnerability VCID-pqgj-ry81-6ua3
43
vulnerability VCID-qxnw-7urw-fud2
44
vulnerability VCID-rysu-xhvt-yqda
45
vulnerability VCID-s49h-br5r-5yh8
46
vulnerability VCID-ssbp-gvfd-2kef
47
vulnerability VCID-tcjg-f9cn-mubj
48
vulnerability VCID-tpjn-4kru-vucv
49
vulnerability VCID-vj7z-pmk3-cydg
50
vulnerability VCID-vras-f42j-xqfg
51
vulnerability VCID-vy44-rbar-w3fn
52
vulnerability VCID-w8ff-8479-rbfq
53
vulnerability VCID-xwza-guvs-83a9
54
vulnerability VCID-ygjc-77t9-yfge
55
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
aliases CVE-2020-11982, GHSA-9g2w-5f3v-mfmm, PYSEC-2020-16
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ykge-bnhg-g7c4
61
url VCID-yrx8-dtav-83av
vulnerability_id VCID-yrx8-dtav-83av
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
2
reference_url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
3
reference_url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
4
reference_url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
5
reference_url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
6
reference_url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
7
reference_url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
8
reference_url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
9
reference_url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
10
reference_url https://github.com/apache/airflow/pull/37290
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37290
11
reference_url https://github.com/apache/airflow/pull/37468
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37468
12
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
13
reference_url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
reference_id
reference_type
scores
url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
14
reference_url http://www.openwall.com/lists/oss-security/2024/02/29/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/02/29/1
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
reference_id CVE-2024-27906
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
16
reference_url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
reference_id GHSA-6v6w-h8m6-7mv2
reference_type
scores
url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-8m3p-yzr8-yyhj
2
vulnerability VCID-974g-7wsa-dqd7
3
vulnerability VCID-hpf3-3z3m-6ydt
4
vulnerability VCID-j6uh-kx6m-sydp
5
vulnerability VCID-k4r8-a72h-fkdf
6
vulnerability VCID-kb4a-mm13-63bj
7
vulnerability VCID-mbgq-fq5n-kufh
8
vulnerability VCID-tpjn-4kru-vucv
9
vulnerability VCID-vras-f42j-xqfg
10
vulnerability VCID-w8ff-8479-rbfq
11
vulnerability VCID-xwza-guvs-83a9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-27906, GHSA-6v6w-h8m6-7mv2, PYSEC-2024-245
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yrx8-dtav-83av
62
url VCID-yz8w-uv1z-5ybw
vulnerability_id VCID-yz8w-uv1z-5ybw
summary An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-11981
reference_id
reference_type
scores
0
value 0.91588
scoring_system epss
scoring_elements 0.99688
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-11981
1
reference_url https://github.com/advisories/GHSA-976r-qfjj-c24w
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-976r-qfjj-c24w
2
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1963-1kyn-2ban
1
vulnerability VCID-1azm-hsvr-f3e8
2
vulnerability VCID-1ptn-xvsy-d3hu
3
vulnerability VCID-2q7x-bua5-37h7
4
vulnerability VCID-2xpf-ut63-tbcx
5
vulnerability VCID-37nw-x186-puds
6
vulnerability VCID-4693-xwwu-7uem
7
vulnerability VCID-4btd-59ga-1yd4
8
vulnerability VCID-4u8d-ezsr-sqcz
9
vulnerability VCID-5j9w-1tng-k3ac
10
vulnerability VCID-5ph5-s3qc-guf4
11
vulnerability VCID-5ufe-1rrj-rkgp
12
vulnerability VCID-6hxm-nnhg-buex
13
vulnerability VCID-7z8j-8f4d-53dm
14
vulnerability VCID-82p8-yujf-hkdd
15
vulnerability VCID-8m3p-yzr8-yyhj
16
vulnerability VCID-8npr-rvfd-jkfj
17
vulnerability VCID-8ykk-1kak-6bfd
18
vulnerability VCID-9f34-2r5y-sydz
19
vulnerability VCID-arbk-dryb-qkda
20
vulnerability VCID-bn9u-brjp-yudy
21
vulnerability VCID-ctd9-hxfn-8fcs
22
vulnerability VCID-d3kc-fn21-xqar
23
vulnerability VCID-dk1y-938p-k3bv
24
vulnerability VCID-e19b-adrm-x7fu
25
vulnerability VCID-fctg-457f-4uae
26
vulnerability VCID-fnsx-gtgn-27dr
27
vulnerability VCID-gbgf-jfzt-tqg1
28
vulnerability VCID-gg94-fdbv-y7g1
29
vulnerability VCID-gt7b-5554-y7dq
30
vulnerability VCID-hgq2-kuex-y3a3
31
vulnerability VCID-hpf3-3z3m-6ydt
32
vulnerability VCID-j6uh-kx6m-sydp
33
vulnerability VCID-jrwf-mt69-1ydt
34
vulnerability VCID-kb4a-mm13-63bj
35
vulnerability VCID-kgfb-yphg-n3ec
36
vulnerability VCID-krjr-ctw4-r3d3
37
vulnerability VCID-ms13-tzaa-hkej
38
vulnerability VCID-nfbc-tutd-37bw
39
vulnerability VCID-p42d-ta7v-7yhn
40
vulnerability VCID-pb3b-22wk-pbh5
41
vulnerability VCID-pmtw-nwnc-nyfw
42
vulnerability VCID-pqgj-ry81-6ua3
43
vulnerability VCID-qxnw-7urw-fud2
44
vulnerability VCID-rysu-xhvt-yqda
45
vulnerability VCID-s49h-br5r-5yh8
46
vulnerability VCID-ssbp-gvfd-2kef
47
vulnerability VCID-tcjg-f9cn-mubj
48
vulnerability VCID-tpjn-4kru-vucv
49
vulnerability VCID-vj7z-pmk3-cydg
50
vulnerability VCID-vras-f42j-xqfg
51
vulnerability VCID-vy44-rbar-w3fn
52
vulnerability VCID-w8ff-8479-rbfq
53
vulnerability VCID-xwza-guvs-83a9
54
vulnerability VCID-ygjc-77t9-yfge
55
vulnerability VCID-yrx8-dtav-83av
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
aliases CVE-2020-11981, GHSA-976r-qfjj-c24w, PYSEC-2020-15
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yz8w-uv1z-5ybw
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.4rc2