Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-airflow@1.10.3b2
Typepypi
Namespace
Nameapache-airflow
Version1.10.3b2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.2.2
Latest_non_vulnerable_version3.2.2
Affected_by_vulnerabilities
0
url VCID-1w96-f72k-ryap
vulnerability_id VCID-1w96-f72k-ryap
summary A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.
references
0
reference_url https://github.com/apache/airflow/pull/65325
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/65325
1
reference_url https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl
2
reference_url http://www.openwall.com/lists/oss-security/2026/05/31/1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/05/31/1
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-40861, PYSEC-2026-181
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1w96-f72k-ryap
1
url VCID-2fnz-jqpe-nuau
vulnerability_id VCID-2fnz-jqpe-nuau
summary It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.
references
0
reference_url https://github.com/advisories/GHSA-65xw-pcqw-hjrh
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-65xw-pcqw-hjrh
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml
4
reference_url https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk
reference_id
reference_type
scores
url https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-45229
reference_id CVE-2021-45229
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-45229
fixed_packages
0
url pkg:pypi/apache-airflow@2.2.4rc1
purl pkg:pypi/apache-airflow@2.2.4rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-2ysx-9hz5-fyfm
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-4xax-xw67-2qfv
6
vulnerability VCID-56eq-awhd-d3fr
7
vulnerability VCID-5cpd-kjpb-ekhv
8
vulnerability VCID-5jyk-dgtu-zfhd
9
vulnerability VCID-5yxa-ubfq-fqdx
10
vulnerability VCID-5zmy-2ape-7qfa
11
vulnerability VCID-6gjt-zsju-47a3
12
vulnerability VCID-6vg9-hu9u-q7c3
13
vulnerability VCID-71hr-1ews-9qa6
14
vulnerability VCID-835a-arqz-g7h7
15
vulnerability VCID-91n6-evww-zybp
16
vulnerability VCID-98yf-mvnw-d3b4
17
vulnerability VCID-amac-hqnj-xfgz
18
vulnerability VCID-b3w3-h9cm-ufgm
19
vulnerability VCID-cahz-4dy7-bbe9
20
vulnerability VCID-dh4r-77xc-cbas
21
vulnerability VCID-djdy-z9r3-s3a2
22
vulnerability VCID-ej1r-mp6n-gudd
23
vulnerability VCID-ez45-qkb4-xkba
24
vulnerability VCID-fbjk-2uvy-mqfc
25
vulnerability VCID-gz6e-b7dz-5qdf
26
vulnerability VCID-h6sp-398p-pbeg
27
vulnerability VCID-hah6-e5fc-juc5
28
vulnerability VCID-hy75-nfg7-zfae
29
vulnerability VCID-j86y-n37n-n7ft
30
vulnerability VCID-kh46-xrgm-9udx
31
vulnerability VCID-mcbu-b45m-k3ck
32
vulnerability VCID-njyy-ywer-x7bf
33
vulnerability VCID-pu6f-xhvm-q3du
34
vulnerability VCID-pybp-gfy8-2qcr
35
vulnerability VCID-pypb-cezm-rkb2
36
vulnerability VCID-q84t-8dac-93dm
37
vulnerability VCID-qehu-58hj-67gn
38
vulnerability VCID-qmpd-946c-gqbc
39
vulnerability VCID-qr9h-6dg8-gkh3
40
vulnerability VCID-ryct-uaw3-fyfc
41
vulnerability VCID-suwt-h1ze-mydu
42
vulnerability VCID-t3ap-dzfp-1bd6
43
vulnerability VCID-t476-g5u5-1yeh
44
vulnerability VCID-u5wv-47m4-8yd6
45
vulnerability VCID-x9ns-34nt-gfer
46
vulnerability VCID-xh7u-8ze6-cqhk
47
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4rc1
aliases CVE-2021-45229, GHSA-65xw-pcqw-hjrh, PYSEC-2022-29
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2fnz-jqpe-nuau
2
url VCID-2xr2-w3hk-auck
vulnerability_id VCID-2xr2-w3hk-auck
summary 
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/61641
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/61641
1
reference_url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/9
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url http://www.openwall.com/lists/oss-security/2026/04/17/9
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2zj7-8yhg-8qen
2
vulnerability VCID-4nax-1d7y-1kbh
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-9ru4-qyks-hybs
5
vulnerability VCID-dhj9-usjr-nbfe
6
vulnerability VCID-djdy-z9r3-s3a2
7
vulnerability VCID-dzfs-e5ys-fbhz
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-frvt-ng4a-jqfh
10
vulnerability VCID-pu6f-xhvm-q3du
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-25917, PYSEC-2026-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck
3
url VCID-2ysx-9hz5-fyfm
vulnerability_id VCID-2ysx-9hz5-fyfm
summary In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
references
0
reference_url https://github.com/apache/airflow/pull/27143
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/27143
1
reference_url https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq
reference_id
reference_type
scores
url https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.2
purl pkg:pypi/apache-airflow@2.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6gjt-zsju-47a3
9
vulnerability VCID-6vg9-hu9u-q7c3
10
vulnerability VCID-71hr-1ews-9qa6
11
vulnerability VCID-835a-arqz-g7h7
12
vulnerability VCID-91n6-evww-zybp
13
vulnerability VCID-98yf-mvnw-d3b4
14
vulnerability VCID-a64u-53x6-dfge
15
vulnerability VCID-amac-hqnj-xfgz
16
vulnerability VCID-b3w3-h9cm-ufgm
17
vulnerability VCID-cahz-4dy7-bbe9
18
vulnerability VCID-csqr-pdvv-gfbh
19
vulnerability VCID-dh4r-77xc-cbas
20
vulnerability VCID-djdy-z9r3-s3a2
21
vulnerability VCID-ej1r-mp6n-gudd
22
vulnerability VCID-ez45-qkb4-xkba
23
vulnerability VCID-fbjk-2uvy-mqfc
24
vulnerability VCID-h6sp-398p-pbeg
25
vulnerability VCID-hah6-e5fc-juc5
26
vulnerability VCID-hy75-nfg7-zfae
27
vulnerability VCID-j86y-n37n-n7ft
28
vulnerability VCID-mcbu-b45m-k3ck
29
vulnerability VCID-njyy-ywer-x7bf
30
vulnerability VCID-pu6f-xhvm-q3du
31
vulnerability VCID-pypb-cezm-rkb2
32
vulnerability VCID-qehu-58hj-67gn
33
vulnerability VCID-qmpd-946c-gqbc
34
vulnerability VCID-ryct-uaw3-fyfc
35
vulnerability VCID-suwt-h1ze-mydu
36
vulnerability VCID-t3ap-dzfp-1bd6
37
vulnerability VCID-t476-g5u5-1yeh
38
vulnerability VCID-u5wv-47m4-8yd6
39
vulnerability VCID-x9ns-34nt-gfer
40
vulnerability VCID-xh7u-8ze6-cqhk
41
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2
aliases CVE-2022-43985, PYSEC-2022-42971
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2ysx-9hz5-fyfm
4
url VCID-3h3z-bfsc-jqax
vulnerability_id VCID-3h3z-bfsc-jqax
summary 
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.
This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.
Users are recommended to upgrade to 2.8.0, which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929
2
reference_url https://github.com/apache/airflow/pull/33932
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://github.com/apache/airflow/pull/33932
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml
4
reference_url https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn
5
reference_url http://www.openwall.com/lists/oss-security/2023/12/21/4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url http://www.openwall.com/lists/oss-security/2023/12/21/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50783
reference_id CVE-2023-50783
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50783
7
reference_url https://github.com/advisories/GHSA-5938-79hg-xh3q
reference_id GHSA-5938-79hg-xh3q
reference_type
scores
url https://github.com/advisories/GHSA-5938-79hg-xh3q
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.0
purl pkg:pypi/apache-airflow@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-6vg9-hu9u-q7c3
6
vulnerability VCID-835a-arqz-g7h7
7
vulnerability VCID-91n6-evww-zybp
8
vulnerability VCID-a64u-53x6-dfge
9
vulnerability VCID-amac-hqnj-xfgz
10
vulnerability VCID-dh4r-77xc-cbas
11
vulnerability VCID-djdy-z9r3-s3a2
12
vulnerability VCID-e5dn-tpzy-qqec
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-mcbu-b45m-k3ck
15
vulnerability VCID-pu6f-xhvm-q3du
16
vulnerability VCID-t3ap-dzfp-1bd6
17
vulnerability VCID-u5wv-47m4-8yd6
18
vulnerability VCID-x9ns-34nt-gfer
19
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0
aliases CVE-2023-50783, GHSA-5938-79hg-xh3q, PYSEC-2023-267
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3h3z-bfsc-jqax
5
url VCID-4dpy-dzpr-bbg7
vulnerability_id VCID-4dpy-dzpr-bbg7
summary In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
references
0
reference_url https://github.com/advisories/GHSA-rjvg-q57v-mjjc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-rjvg-q57v-mjjc
1
reference_url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b@%3Cdev.airflow.apache.org%3E
2
reference_url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
3
reference_url http://www.openwall.com/lists/oss-security/2020/01/14/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/01/14/2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-12398
reference_id CVE-2019-12398
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2019-12398
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.5
purl pkg:pypi/apache-airflow@1.10.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-4xdb-1kww-sfdh
8
vulnerability VCID-56eq-awhd-d3fr
9
vulnerability VCID-5cpd-kjpb-ekhv
10
vulnerability VCID-5jyk-dgtu-zfhd
11
vulnerability VCID-5yxa-ubfq-fqdx
12
vulnerability VCID-5zmy-2ape-7qfa
13
vulnerability VCID-6gjt-zsju-47a3
14
vulnerability VCID-6ksf-tekv-dud3
15
vulnerability VCID-6vg9-hu9u-q7c3
16
vulnerability VCID-71hr-1ews-9qa6
17
vulnerability VCID-82kk-s7d6-f7he
18
vulnerability VCID-835a-arqz-g7h7
19
vulnerability VCID-91n6-evww-zybp
20
vulnerability VCID-98yf-mvnw-d3b4
21
vulnerability VCID-9jm4-t1je-vqhm
22
vulnerability VCID-9tq4-v733-hug3
23
vulnerability VCID-amac-hqnj-xfgz
24
vulnerability VCID-b3w3-h9cm-ufgm
25
vulnerability VCID-bwd5-3jt5-pyb8
26
vulnerability VCID-cahz-4dy7-bbe9
27
vulnerability VCID-dh4r-77xc-cbas
28
vulnerability VCID-djdy-z9r3-s3a2
29
vulnerability VCID-due7-n14c-akfx
30
vulnerability VCID-ej1r-mp6n-gudd
31
vulnerability VCID-ez45-qkb4-xkba
32
vulnerability VCID-fbjk-2uvy-mqfc
33
vulnerability VCID-frbp-mhhr-8bdt
34
vulnerability VCID-gn6e-a1yp-g7dw
35
vulnerability VCID-gz6e-b7dz-5qdf
36
vulnerability VCID-h6sp-398p-pbeg
37
vulnerability VCID-hah6-e5fc-juc5
38
vulnerability VCID-hy75-nfg7-zfae
39
vulnerability VCID-j86y-n37n-n7ft
40
vulnerability VCID-jq98-gxbc-pydt
41
vulnerability VCID-kh46-xrgm-9udx
42
vulnerability VCID-ks8d-9vr8-4feh
43
vulnerability VCID-mcbu-b45m-k3ck
44
vulnerability VCID-njyy-ywer-x7bf
45
vulnerability VCID-p9we-cpy2-17h4
46
vulnerability VCID-pe8h-9hgu-j3hx
47
vulnerability VCID-pu6f-xhvm-q3du
48
vulnerability VCID-pybp-gfy8-2qcr
49
vulnerability VCID-pypb-cezm-rkb2
50
vulnerability VCID-q84t-8dac-93dm
51
vulnerability VCID-qehu-58hj-67gn
52
vulnerability VCID-qmpd-946c-gqbc
53
vulnerability VCID-qr9h-6dg8-gkh3
54
vulnerability VCID-quaj-w9r3-qya8
55
vulnerability VCID-reu2-2xcq-fqa4
56
vulnerability VCID-ryct-uaw3-fyfc
57
vulnerability VCID-suwt-h1ze-mydu
58
vulnerability VCID-t3ap-dzfp-1bd6
59
vulnerability VCID-t476-g5u5-1yeh
60
vulnerability VCID-trd4-8vc9-ufab
61
vulnerability VCID-u5wv-47m4-8yd6
62
vulnerability VCID-x9ns-34nt-gfer
63
vulnerability VCID-xh7u-8ze6-cqhk
64
vulnerability VCID-y7az-a4um-jqff
65
vulnerability VCID-ydhm-m8vh-mber
66
vulnerability VCID-z4w8-3mr1-63ed
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.5
aliases CVE-2019-12398, GHSA-rjvg-q57v-mjjc, PYSEC-2020-162
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4dpy-dzpr-bbg7
6
url VCID-4ga6-4111-dyc9
vulnerability_id VCID-4ga6-4111-dyc9
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
2
reference_url https://github.com/apache/airflow/pull/36257
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/36257
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
4
reference_url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
5
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/01/24/5
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
reference_id CVE-2023-50944
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
7
reference_url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
reference_id GHSA-vm5m-qmrx-fw8w
reference_type
scores
url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-6vg9-hu9u-q7c3
6
vulnerability VCID-835a-arqz-g7h7
7
vulnerability VCID-91n6-evww-zybp
8
vulnerability VCID-a64u-53x6-dfge
9
vulnerability VCID-amac-hqnj-xfgz
10
vulnerability VCID-dh4r-77xc-cbas
11
vulnerability VCID-djdy-z9r3-s3a2
12
vulnerability VCID-e5dn-tpzy-qqec
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-mcbu-b45m-k3ck
15
vulnerability VCID-pu6f-xhvm-q3du
16
vulnerability VCID-t3ap-dzfp-1bd6
17
vulnerability VCID-u5wv-47m4-8yd6
18
vulnerability VCID-x9ns-34nt-gfer
19
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-6vg9-hu9u-q7c3
5
vulnerability VCID-835a-arqz-g7h7
6
vulnerability VCID-91n6-evww-zybp
7
vulnerability VCID-a64u-53x6-dfge
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-e5dn-tpzy-qqec
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-mcbu-b45m-k3ck
13
vulnerability VCID-pu6f-xhvm-q3du
14
vulnerability VCID-t3ap-dzfp-1bd6
15
vulnerability VCID-u5wv-47m4-8yd6
16
vulnerability VCID-x9ns-34nt-gfer
17
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50944, GHSA-vm5m-qmrx-fw8w, PYSEC-2024-14
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9
7
url VCID-4xax-xw67-2qfv
vulnerability_id VCID-4xax-xw67-2qfv
summary A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.
references
0
reference_url https://github.com/apache/airflow/pull/22754
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/22754
1
reference_url https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
reference_id
reference_type
scores
url https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
2
reference_url http://www.openwall.com/lists/oss-security/2022/11/14/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/11/14/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.3.1
purl pkg:pypi/apache-airflow@2.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-2ysx-9hz5-fyfm
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4bps-htex-tqgk
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-56eq-awhd-d3fr
7
vulnerability VCID-5cpd-kjpb-ekhv
8
vulnerability VCID-5jyk-dgtu-zfhd
9
vulnerability VCID-5nys-mzgw-4khd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6pk8-baws-e3dt
14
vulnerability VCID-6vg9-hu9u-q7c3
15
vulnerability VCID-71hr-1ews-9qa6
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-ej1r-mp6n-gudd
25
vulnerability VCID-ez45-qkb4-xkba
26
vulnerability VCID-fbjk-2uvy-mqfc
27
vulnerability VCID-gz6e-b7dz-5qdf
28
vulnerability VCID-h6sp-398p-pbeg
29
vulnerability VCID-hah6-e5fc-juc5
30
vulnerability VCID-hy75-nfg7-zfae
31
vulnerability VCID-j86y-n37n-n7ft
32
vulnerability VCID-kh46-xrgm-9udx
33
vulnerability VCID-mcbu-b45m-k3ck
34
vulnerability VCID-njyy-ywer-x7bf
35
vulnerability VCID-pu6f-xhvm-q3du
36
vulnerability VCID-pypb-cezm-rkb2
37
vulnerability VCID-q84t-8dac-93dm
38
vulnerability VCID-qehu-58hj-67gn
39
vulnerability VCID-qmpd-946c-gqbc
40
vulnerability VCID-qr9h-6dg8-gkh3
41
vulnerability VCID-ryct-uaw3-fyfc
42
vulnerability VCID-suwt-h1ze-mydu
43
vulnerability VCID-t3ap-dzfp-1bd6
44
vulnerability VCID-t476-g5u5-1yeh
45
vulnerability VCID-u5wv-47m4-8yd6
46
vulnerability VCID-x9ns-34nt-gfer
47
vulnerability VCID-xh7u-8ze6-cqhk
48
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.1
aliases CVE-2022-27949, PYSEC-2022-42981
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4xax-xw67-2qfv
8
url VCID-4xdb-1kww-sfdh
vulnerability_id VCID-4xdb-1kww-sfdh
summary An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
references
0
reference_url https://github.com/advisories/GHSA-rvmq-4x66-q7j3
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-rvmq-4x66-q7j3
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/2fa51576e1283f5732e38fada686fd248d9c3a1e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2fa51576e1283f5732e38fada686fd248d9c3a1e
3
reference_url https://github.com/apache/airflow/commit/4d8599e8b0520ff4226fbad72f724afae50fdd08
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/4d8599e8b0520ff4226fbad72f724afae50fdd08
4
reference_url https://github.com/apache/airflow/pull/9143
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/9143
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-14.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-14.yaml
6
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11978
reference_id
reference_type
scores
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11978
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-11978
reference_id CVE-2020-11978
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-11978
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-quaj-w9r3-qya8
50
vulnerability VCID-reu2-2xcq-fqa4
51
vulnerability VCID-ryct-uaw3-fyfc
52
vulnerability VCID-suwt-h1ze-mydu
53
vulnerability VCID-t3ap-dzfp-1bd6
54
vulnerability VCID-t476-g5u5-1yeh
55
vulnerability VCID-trd4-8vc9-ufab
56
vulnerability VCID-u5wv-47m4-8yd6
57
vulnerability VCID-x9ns-34nt-gfer
58
vulnerability VCID-xh7u-8ze6-cqhk
59
vulnerability VCID-y7az-a4um-jqff
60
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
aliases CVE-2020-11978, GHSA-rvmq-4x66-q7j3, PYSEC-2020-14
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4xdb-1kww-sfdh
9
url VCID-56eq-awhd-d3fr
vulnerability_id VCID-56eq-awhd-d3fr
summary 
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. 
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d
2
reference_url https://github.com/apache/airflow/pull/41672
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/41672
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml
4
reference_url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
5
reference_url http://www.openwall.com/lists/oss-security/2024/09/06/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/09/06/3
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45034
reference_id CVE-2024-45034
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45034
7
reference_url https://github.com/advisories/GHSA-92xg-gmrq-5c3w
reference_id GHSA-92xg-gmrq-5c3w
reference_type
scores
url https://github.com/advisories/GHSA-92xg-gmrq-5c3w
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.1
purl pkg:pypi/apache-airflow@2.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5jyk-dgtu-zfhd
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-djdy-z9r3-s3a2
6
vulnerability VCID-ej1r-mp6n-gudd
7
vulnerability VCID-pu6f-xhvm-q3du
8
vulnerability VCID-t3ap-dzfp-1bd6
9
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1
aliases CVE-2024-45034, GHSA-92xg-gmrq-5c3w, PYSEC-2024-212
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr
10
url VCID-5cpd-kjpb-ekhv
vulnerability_id VCID-5cpd-kjpb-ekhv
summary 
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/34315
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/34315
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml
3
reference_url https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9
reference_id
reference_type
scores
url https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42663
reference_id CVE-2023-42663
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42663
5
reference_url https://github.com/advisories/GHSA-32wr-qqw6-5mfp
reference_id GHSA-32wr-qqw6-5mfp
reference_type
scores
url https://github.com/advisories/GHSA-32wr-qqw6-5mfp
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.2
purl pkg:pypi/apache-airflow@2.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5jyk-dgtu-zfhd
6
vulnerability VCID-6vg9-hu9u-q7c3
7
vulnerability VCID-835a-arqz-g7h7
8
vulnerability VCID-91n6-evww-zybp
9
vulnerability VCID-98yf-mvnw-d3b4
10
vulnerability VCID-a64u-53x6-dfge
11
vulnerability VCID-amac-hqnj-xfgz
12
vulnerability VCID-dh4r-77xc-cbas
13
vulnerability VCID-djdy-z9r3-s3a2
14
vulnerability VCID-ej1r-mp6n-gudd
15
vulnerability VCID-fbjk-2uvy-mqfc
16
vulnerability VCID-j86y-n37n-n7ft
17
vulnerability VCID-mcbu-b45m-k3ck
18
vulnerability VCID-pu6f-xhvm-q3du
19
vulnerability VCID-t3ap-dzfp-1bd6
20
vulnerability VCID-t7xp-8ua7-d7ff
21
vulnerability VCID-u5wv-47m4-8yd6
22
vulnerability VCID-wb11-e3rz-e3cf
23
vulnerability VCID-x9ns-34nt-gfer
24
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2
aliases CVE-2023-42663, GHSA-32wr-qqw6-5mfp, PYSEC-2023-197
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5cpd-kjpb-ekhv
11
url VCID-5jyk-dgtu-zfhd
vulnerability_id VCID-5jyk-dgtu-zfhd
summary Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
references
0
reference_url https://github.com/apache/airflow/pull/66737
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://github.com/apache/airflow/pull/66737
1
reference_url https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83
2
reference_url http://www.openwall.com/lists/oss-security/2026/05/31/12
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url http://www.openwall.com/lists/oss-security/2026/05/31/12
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-45360, PYSEC-2026-186
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5jyk-dgtu-zfhd
12
url VCID-5yxa-ubfq-fqdx
vulnerability_id VCID-5yxa-ubfq-fqdx
summary In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
references
0
reference_url https://github.com/apache/airflow/pull/27143
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/27143
1
reference_url https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l
reference_id
reference_type
scores
url https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.2
purl pkg:pypi/apache-airflow@2.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6gjt-zsju-47a3
9
vulnerability VCID-6vg9-hu9u-q7c3
10
vulnerability VCID-71hr-1ews-9qa6
11
vulnerability VCID-835a-arqz-g7h7
12
vulnerability VCID-91n6-evww-zybp
13
vulnerability VCID-98yf-mvnw-d3b4
14
vulnerability VCID-a64u-53x6-dfge
15
vulnerability VCID-amac-hqnj-xfgz
16
vulnerability VCID-b3w3-h9cm-ufgm
17
vulnerability VCID-cahz-4dy7-bbe9
18
vulnerability VCID-csqr-pdvv-gfbh
19
vulnerability VCID-dh4r-77xc-cbas
20
vulnerability VCID-djdy-z9r3-s3a2
21
vulnerability VCID-ej1r-mp6n-gudd
22
vulnerability VCID-ez45-qkb4-xkba
23
vulnerability VCID-fbjk-2uvy-mqfc
24
vulnerability VCID-h6sp-398p-pbeg
25
vulnerability VCID-hah6-e5fc-juc5
26
vulnerability VCID-hy75-nfg7-zfae
27
vulnerability VCID-j86y-n37n-n7ft
28
vulnerability VCID-mcbu-b45m-k3ck
29
vulnerability VCID-njyy-ywer-x7bf
30
vulnerability VCID-pu6f-xhvm-q3du
31
vulnerability VCID-pypb-cezm-rkb2
32
vulnerability VCID-qehu-58hj-67gn
33
vulnerability VCID-qmpd-946c-gqbc
34
vulnerability VCID-ryct-uaw3-fyfc
35
vulnerability VCID-suwt-h1ze-mydu
36
vulnerability VCID-t3ap-dzfp-1bd6
37
vulnerability VCID-t476-g5u5-1yeh
38
vulnerability VCID-u5wv-47m4-8yd6
39
vulnerability VCID-x9ns-34nt-gfer
40
vulnerability VCID-xh7u-8ze6-cqhk
41
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2
aliases CVE-2022-43982, PYSEC-2022-42970
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5yxa-ubfq-fqdx
13
url VCID-5zmy-2ape-7qfa
vulnerability_id VCID-5zmy-2ape-7qfa
summary 
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.

Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e
2
reference_url https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148
3
reference_url https://github.com/apache/airflow/pull/33512
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33512
4
reference_url https://github.com/apache/airflow/pull/33516
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33516
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml
6
reference_url https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
reference_id
reference_type
scores
url https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40712
reference_id CVE-2023-40712
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40712
8
reference_url https://github.com/advisories/GHSA-mjqh-v5f2-g2mw
reference_id GHSA-mjqh-v5f2-g2mw
reference_type
scores
url https://github.com/advisories/GHSA-mjqh-v5f2-g2mw
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.1
purl pkg:pypi/apache-airflow@2.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1jx5-34px-ukbz
1
vulnerability VCID-1w96-f72k-ryap
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-56eq-awhd-d3fr
6
vulnerability VCID-5cpd-kjpb-ekhv
7
vulnerability VCID-5jyk-dgtu-zfhd
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-dh4r-77xc-cbas
15
vulnerability VCID-djdy-z9r3-s3a2
16
vulnerability VCID-ej1r-mp6n-gudd
17
vulnerability VCID-fbjk-2uvy-mqfc
18
vulnerability VCID-j86y-n37n-n7ft
19
vulnerability VCID-mcbu-b45m-k3ck
20
vulnerability VCID-njyy-ywer-x7bf
21
vulnerability VCID-pu6f-xhvm-q3du
22
vulnerability VCID-t3ap-dzfp-1bd6
23
vulnerability VCID-t476-g5u5-1yeh
24
vulnerability VCID-t7xp-8ua7-d7ff
25
vulnerability VCID-u5wv-47m4-8yd6
26
vulnerability VCID-wb11-e3rz-e3cf
27
vulnerability VCID-x9ns-34nt-gfer
28
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1
aliases CVE-2023-40712, GHSA-mjqh-v5f2-g2mw, PYSEC-2023-171
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5zmy-2ape-7qfa
14
url VCID-6gjt-zsju-47a3
vulnerability_id VCID-6gjt-zsju-47a3
summary 
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.

Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.
This issue affects Apache Airflow Drill Provider: before 2.4.3.
It is recommended to upgrade to a version that is not affected.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110
2
reference_url https://github.com/apache/airflow/pull/33074
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33074
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml
4
reference_url https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf
reference_id
reference_type
scores
url https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf
5
reference_url https://www.openwall.com/lists/oss-security/2023/08/11/1
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/08/11/1
6
reference_url http://www.openwall.com/lists/oss-security/2023/08/11/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2023/08/11/1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-39553
reference_id CVE-2023-39553
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-39553
8
reference_url https://github.com/advisories/GHSA-mq4v-6vg4-796c
reference_id GHSA-mq4v-6vg4-796c
reference_type
scores
url https://github.com/advisories/GHSA-mq4v-6vg4-796c
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.3
purl pkg:pypi/apache-airflow@2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-b3w3-h9cm-ufgm
16
vulnerability VCID-cahz-4dy7-bbe9
17
vulnerability VCID-csqr-pdvv-gfbh
18
vulnerability VCID-dh4r-77xc-cbas
19
vulnerability VCID-djdy-z9r3-s3a2
20
vulnerability VCID-ej1r-mp6n-gudd
21
vulnerability VCID-ez45-qkb4-xkba
22
vulnerability VCID-fbjk-2uvy-mqfc
23
vulnerability VCID-h6sp-398p-pbeg
24
vulnerability VCID-hah6-e5fc-juc5
25
vulnerability VCID-hy75-nfg7-zfae
26
vulnerability VCID-j86y-n37n-n7ft
27
vulnerability VCID-mcbu-b45m-k3ck
28
vulnerability VCID-njyy-ywer-x7bf
29
vulnerability VCID-pu6f-xhvm-q3du
30
vulnerability VCID-pypb-cezm-rkb2
31
vulnerability VCID-qmpd-946c-gqbc
32
vulnerability VCID-ryct-uaw3-fyfc
33
vulnerability VCID-suwt-h1ze-mydu
34
vulnerability VCID-t3ap-dzfp-1bd6
35
vulnerability VCID-t476-g5u5-1yeh
36
vulnerability VCID-u5wv-47m4-8yd6
37
vulnerability VCID-x9ns-34nt-gfer
38
vulnerability VCID-xh7u-8ze6-cqhk
39
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3
aliases CVE-2023-39553, GHSA-mq4v-6vg4-796c, PYSEC-2023-136
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6gjt-zsju-47a3
15
url VCID-6ksf-tekv-dud3
vulnerability_id VCID-6ksf-tekv-dud3
summary A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
references
0
reference_url https://github.com/advisories/GHSA-q3p4-gw7r-wqjc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-q3p4-gw7r-wqjc
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/caf1f264b845153b9a61b00b1a57acb7c320e743
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/caf1f264b845153b9a61b00b1a57acb7c320e743
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-216.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-216.yaml
4
reference_url https://lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@%3Cusers.airflow.apache.org%3E
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-12417
reference_id CVE-2019-12417
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2019-12417
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.6rc1
purl pkg:pypi/apache-airflow@1.10.6rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-4xdb-1kww-sfdh
8
vulnerability VCID-56eq-awhd-d3fr
9
vulnerability VCID-5cpd-kjpb-ekhv
10
vulnerability VCID-5jyk-dgtu-zfhd
11
vulnerability VCID-5yxa-ubfq-fqdx
12
vulnerability VCID-5zmy-2ape-7qfa
13
vulnerability VCID-6gjt-zsju-47a3
14
vulnerability VCID-6vg9-hu9u-q7c3
15
vulnerability VCID-71hr-1ews-9qa6
16
vulnerability VCID-82kk-s7d6-f7he
17
vulnerability VCID-835a-arqz-g7h7
18
vulnerability VCID-91n6-evww-zybp
19
vulnerability VCID-98yf-mvnw-d3b4
20
vulnerability VCID-9jm4-t1je-vqhm
21
vulnerability VCID-9tq4-v733-hug3
22
vulnerability VCID-amac-hqnj-xfgz
23
vulnerability VCID-b3w3-h9cm-ufgm
24
vulnerability VCID-bwd5-3jt5-pyb8
25
vulnerability VCID-cahz-4dy7-bbe9
26
vulnerability VCID-dh4r-77xc-cbas
27
vulnerability VCID-djdy-z9r3-s3a2
28
vulnerability VCID-due7-n14c-akfx
29
vulnerability VCID-ej1r-mp6n-gudd
30
vulnerability VCID-ez45-qkb4-xkba
31
vulnerability VCID-fbjk-2uvy-mqfc
32
vulnerability VCID-frbp-mhhr-8bdt
33
vulnerability VCID-gn6e-a1yp-g7dw
34
vulnerability VCID-gz6e-b7dz-5qdf
35
vulnerability VCID-h6sp-398p-pbeg
36
vulnerability VCID-hah6-e5fc-juc5
37
vulnerability VCID-hy75-nfg7-zfae
38
vulnerability VCID-j86y-n37n-n7ft
39
vulnerability VCID-jq98-gxbc-pydt
40
vulnerability VCID-kh46-xrgm-9udx
41
vulnerability VCID-ks8d-9vr8-4feh
42
vulnerability VCID-mcbu-b45m-k3ck
43
vulnerability VCID-njyy-ywer-x7bf
44
vulnerability VCID-p9we-cpy2-17h4
45
vulnerability VCID-pe8h-9hgu-j3hx
46
vulnerability VCID-pu6f-xhvm-q3du
47
vulnerability VCID-pybp-gfy8-2qcr
48
vulnerability VCID-pypb-cezm-rkb2
49
vulnerability VCID-q84t-8dac-93dm
50
vulnerability VCID-qehu-58hj-67gn
51
vulnerability VCID-qmpd-946c-gqbc
52
vulnerability VCID-qr9h-6dg8-gkh3
53
vulnerability VCID-quaj-w9r3-qya8
54
vulnerability VCID-reu2-2xcq-fqa4
55
vulnerability VCID-ryct-uaw3-fyfc
56
vulnerability VCID-suwt-h1ze-mydu
57
vulnerability VCID-t3ap-dzfp-1bd6
58
vulnerability VCID-t476-g5u5-1yeh
59
vulnerability VCID-trd4-8vc9-ufab
60
vulnerability VCID-u5wv-47m4-8yd6
61
vulnerability VCID-x9ns-34nt-gfer
62
vulnerability VCID-xh7u-8ze6-cqhk
63
vulnerability VCID-y7az-a4um-jqff
64
vulnerability VCID-ydhm-m8vh-mber
65
vulnerability VCID-z4w8-3mr1-63ed
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.6rc1
1
url pkg:pypi/apache-airflow@1.10.6
purl pkg:pypi/apache-airflow@1.10.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-4xdb-1kww-sfdh
8
vulnerability VCID-56eq-awhd-d3fr
9
vulnerability VCID-5cpd-kjpb-ekhv
10
vulnerability VCID-5jyk-dgtu-zfhd
11
vulnerability VCID-5yxa-ubfq-fqdx
12
vulnerability VCID-5zmy-2ape-7qfa
13
vulnerability VCID-6gjt-zsju-47a3
14
vulnerability VCID-6vg9-hu9u-q7c3
15
vulnerability VCID-71hr-1ews-9qa6
16
vulnerability VCID-82kk-s7d6-f7he
17
vulnerability VCID-835a-arqz-g7h7
18
vulnerability VCID-91n6-evww-zybp
19
vulnerability VCID-98yf-mvnw-d3b4
20
vulnerability VCID-9jm4-t1je-vqhm
21
vulnerability VCID-9tq4-v733-hug3
22
vulnerability VCID-amac-hqnj-xfgz
23
vulnerability VCID-b3w3-h9cm-ufgm
24
vulnerability VCID-bwd5-3jt5-pyb8
25
vulnerability VCID-cahz-4dy7-bbe9
26
vulnerability VCID-dh4r-77xc-cbas
27
vulnerability VCID-djdy-z9r3-s3a2
28
vulnerability VCID-due7-n14c-akfx
29
vulnerability VCID-ej1r-mp6n-gudd
30
vulnerability VCID-ez45-qkb4-xkba
31
vulnerability VCID-fbjk-2uvy-mqfc
32
vulnerability VCID-frbp-mhhr-8bdt
33
vulnerability VCID-gn6e-a1yp-g7dw
34
vulnerability VCID-gz6e-b7dz-5qdf
35
vulnerability VCID-h6sp-398p-pbeg
36
vulnerability VCID-hah6-e5fc-juc5
37
vulnerability VCID-hy75-nfg7-zfae
38
vulnerability VCID-j86y-n37n-n7ft
39
vulnerability VCID-jq98-gxbc-pydt
40
vulnerability VCID-kh46-xrgm-9udx
41
vulnerability VCID-ks8d-9vr8-4feh
42
vulnerability VCID-mcbu-b45m-k3ck
43
vulnerability VCID-njyy-ywer-x7bf
44
vulnerability VCID-p9we-cpy2-17h4
45
vulnerability VCID-pe8h-9hgu-j3hx
46
vulnerability VCID-pu6f-xhvm-q3du
47
vulnerability VCID-pybp-gfy8-2qcr
48
vulnerability VCID-pypb-cezm-rkb2
49
vulnerability VCID-q84t-8dac-93dm
50
vulnerability VCID-qehu-58hj-67gn
51
vulnerability VCID-qmpd-946c-gqbc
52
vulnerability VCID-qr9h-6dg8-gkh3
53
vulnerability VCID-quaj-w9r3-qya8
54
vulnerability VCID-reu2-2xcq-fqa4
55
vulnerability VCID-ryct-uaw3-fyfc
56
vulnerability VCID-suwt-h1ze-mydu
57
vulnerability VCID-t3ap-dzfp-1bd6
58
vulnerability VCID-t476-g5u5-1yeh
59
vulnerability VCID-trd4-8vc9-ufab
60
vulnerability VCID-u5wv-47m4-8yd6
61
vulnerability VCID-x9ns-34nt-gfer
62
vulnerability VCID-xh7u-8ze6-cqhk
63
vulnerability VCID-y7az-a4um-jqff
64
vulnerability VCID-ydhm-m8vh-mber
65
vulnerability VCID-z4w8-3mr1-63ed
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.6
aliases CVE-2019-12417, GHSA-q3p4-gw7r-wqjc, PYSEC-2019-216
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ksf-tekv-dud3
16
url VCID-6vg9-hu9u-q7c3
vulnerability_id VCID-6vg9-hu9u-q7c3
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
2
reference_url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
3
reference_url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
4
reference_url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
5
reference_url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
6
reference_url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
7
reference_url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
8
reference_url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
9
reference_url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
10
reference_url https://github.com/apache/airflow/pull/37290
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37290
11
reference_url https://github.com/apache/airflow/pull/37468
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37468
12
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
13
reference_url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
reference_id
reference_type
scores
url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
14
reference_url http://www.openwall.com/lists/oss-security/2024/02/29/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/02/29/1
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
reference_id CVE-2024-27906
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
16
reference_url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
reference_id GHSA-6v6w-h8m6-7mv2
reference_type
scores
url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-e5dn-tpzy-qqec
9
vulnerability VCID-egd2-gh55-qfgj
10
vulnerability VCID-ej1r-mp6n-gudd
11
vulnerability VCID-mcbu-b45m-k3ck
12
vulnerability VCID-pu6f-xhvm-q3du
13
vulnerability VCID-t3ap-dzfp-1bd6
14
vulnerability VCID-u5wv-47m4-8yd6
15
vulnerability VCID-x9ns-34nt-gfer
16
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-27906, GHSA-6v6w-h8m6-7mv2, PYSEC-2024-245
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3
17
url VCID-71hr-1ews-9qa6
vulnerability_id VCID-71hr-1ews-9qa6
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db
2
reference_url https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352
3
reference_url https://github.com/apache/airflow/pull/32014
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32014
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml
5
reference_url https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw
reference_id
reference_type
scores
url https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-35908
reference_id CVE-2023-35908
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-35908
7
reference_url https://github.com/advisories/GHSA-2h84-3crq-vgfj
reference_id GHSA-2h84-3crq-vgfj
reference_type
scores
url https://github.com/advisories/GHSA-2h84-3crq-vgfj
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-cahz-4dy7-bbe9
15
vulnerability VCID-csqr-pdvv-gfbh
16
vulnerability VCID-dh4r-77xc-cbas
17
vulnerability VCID-djdy-z9r3-s3a2
18
vulnerability VCID-ej1r-mp6n-gudd
19
vulnerability VCID-fbjk-2uvy-mqfc
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pu6f-xhvm-q3du
24
vulnerability VCID-pypb-cezm-rkb2
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-35908, GHSA-2h84-3crq-vgfj, PYSEC-2023-119
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-71hr-1ews-9qa6
18
url VCID-82kk-s7d6-f7he
vulnerability_id VCID-82kk-s7d6-f7he
summary In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
references
0
reference_url https://github.com/advisories/GHSA-cvcq-gmc3-q6m8
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-cvcq-gmc3-q6m8
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/4e32546faf227a6497ce8b282fff7450cae6f665
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/4e32546faf227a6497ce8b282fff7450cae6f665
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-262.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-262.yaml
4
reference_url https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-17511
reference_id CVE-2020-17511
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-17511
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.13
purl pkg:pypi/apache-airflow@1.10.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-frbp-mhhr-8bdt
29
vulnerability VCID-gn6e-a1yp-g7dw
30
vulnerability VCID-gz6e-b7dz-5qdf
31
vulnerability VCID-h6sp-398p-pbeg
32
vulnerability VCID-hah6-e5fc-juc5
33
vulnerability VCID-hy75-nfg7-zfae
34
vulnerability VCID-j86y-n37n-n7ft
35
vulnerability VCID-kh46-xrgm-9udx
36
vulnerability VCID-ks8d-9vr8-4feh
37
vulnerability VCID-mcbu-b45m-k3ck
38
vulnerability VCID-njyy-ywer-x7bf
39
vulnerability VCID-pu6f-xhvm-q3du
40
vulnerability VCID-pybp-gfy8-2qcr
41
vulnerability VCID-pypb-cezm-rkb2
42
vulnerability VCID-q84t-8dac-93dm
43
vulnerability VCID-qehu-58hj-67gn
44
vulnerability VCID-qmpd-946c-gqbc
45
vulnerability VCID-qr9h-6dg8-gkh3
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-trd4-8vc9-ufab
51
vulnerability VCID-u5wv-47m4-8yd6
52
vulnerability VCID-x9ns-34nt-gfer
53
vulnerability VCID-xh7u-8ze6-cqhk
54
vulnerability VCID-y7az-a4um-jqff
55
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13
aliases CVE-2020-17511, GHSA-cvcq-gmc3-q6m8, PYSEC-2020-262
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-82kk-s7d6-f7he
19
url VCID-835a-arqz-g7h7
vulnerability_id VCID-835a-arqz-g7h7
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
2
reference_url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
3
reference_url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
4
reference_url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
5
reference_url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
6
reference_url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
7
reference_url https://github.com/apache/airflow/pull/37501
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37501
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
9
reference_url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
reference_id
reference_type
scores
url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
reference_id CVE-2024-26280
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
11
reference_url https://github.com/advisories/GHSA-6xwf-xvf3-v459
reference_id GHSA-6xwf-xvf3-v459
reference_type
scores
url https://github.com/advisories/GHSA-6xwf-xvf3-v459
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-e5dn-tpzy-qqec
9
vulnerability VCID-egd2-gh55-qfgj
10
vulnerability VCID-ej1r-mp6n-gudd
11
vulnerability VCID-mcbu-b45m-k3ck
12
vulnerability VCID-pu6f-xhvm-q3du
13
vulnerability VCID-t3ap-dzfp-1bd6
14
vulnerability VCID-u5wv-47m4-8yd6
15
vulnerability VCID-x9ns-34nt-gfer
16
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-26280, GHSA-6xwf-xvf3-v459, PYSEC-2024-42
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7
20
url VCID-91n6-evww-zybp
vulnerability_id VCID-91n6-evww-zybp
summary In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/63028
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/63028
1
reference_url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/04/17/5
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2zj7-8yhg-8qen
2
vulnerability VCID-4nax-1d7y-1kbh
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-9ru4-qyks-hybs
5
vulnerability VCID-dhj9-usjr-nbfe
6
vulnerability VCID-djdy-z9r3-s3a2
7
vulnerability VCID-dzfs-e5ys-fbhz
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-frvt-ng4a-jqfh
10
vulnerability VCID-pu6f-xhvm-q3du
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-30912, PYSEC-2026-18
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp
21
url VCID-98yf-mvnw-d3b4
vulnerability_id VCID-98yf-mvnw-d3b4
summary 
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.  This is a different issue than CVE-2023-42663 but leading to similar outcome.
Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3
2
reference_url https://github.com/apache/airflow/pull/34939
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/34939
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml
4
reference_url https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1
reference_id
reference_type
scores
url https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42781
reference_id CVE-2023-42781
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42781
6
reference_url https://github.com/advisories/GHSA-r7x6-xfcm-3mxv
reference_id GHSA-r7x6-xfcm-3mxv
reference_type
scores
url https://github.com/advisories/GHSA-r7x6-xfcm-3mxv
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.3
purl pkg:pypi/apache-airflow@2.7.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5jyk-dgtu-zfhd
6
vulnerability VCID-6vg9-hu9u-q7c3
7
vulnerability VCID-835a-arqz-g7h7
8
vulnerability VCID-91n6-evww-zybp
9
vulnerability VCID-a64u-53x6-dfge
10
vulnerability VCID-amac-hqnj-xfgz
11
vulnerability VCID-dh4r-77xc-cbas
12
vulnerability VCID-djdy-z9r3-s3a2
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-j86y-n37n-n7ft
15
vulnerability VCID-mcbu-b45m-k3ck
16
vulnerability VCID-pu6f-xhvm-q3du
17
vulnerability VCID-t3ap-dzfp-1bd6
18
vulnerability VCID-t7xp-8ua7-d7ff
19
vulnerability VCID-u5wv-47m4-8yd6
20
vulnerability VCID-wb11-e3rz-e3cf
21
vulnerability VCID-x9ns-34nt-gfer
22
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3
aliases CVE-2023-42781, GHSA-r7x6-xfcm-3mxv, PYSEC-2023-231
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-98yf-mvnw-d3b4
22
url VCID-9jm4-t1je-vqhm
vulnerability_id VCID-9jm4-t1je-vqhm
summary In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
references
0
reference_url https://github.com/advisories/GHSA-6r3p-fcvm-xh7c
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-6r3p-fcvm-xh7c
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/b606b871226d649913a37fd074eeae5d86ebc3a1
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/b606b871226d649913a37fd074eeae5d86ebc3a1
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-20.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-20.yaml
4
reference_url https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-17513
reference_id CVE-2020-17513
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-17513
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.13
purl pkg:pypi/apache-airflow@1.10.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-frbp-mhhr-8bdt
29
vulnerability VCID-gn6e-a1yp-g7dw
30
vulnerability VCID-gz6e-b7dz-5qdf
31
vulnerability VCID-h6sp-398p-pbeg
32
vulnerability VCID-hah6-e5fc-juc5
33
vulnerability VCID-hy75-nfg7-zfae
34
vulnerability VCID-j86y-n37n-n7ft
35
vulnerability VCID-kh46-xrgm-9udx
36
vulnerability VCID-ks8d-9vr8-4feh
37
vulnerability VCID-mcbu-b45m-k3ck
38
vulnerability VCID-njyy-ywer-x7bf
39
vulnerability VCID-pu6f-xhvm-q3du
40
vulnerability VCID-pybp-gfy8-2qcr
41
vulnerability VCID-pypb-cezm-rkb2
42
vulnerability VCID-q84t-8dac-93dm
43
vulnerability VCID-qehu-58hj-67gn
44
vulnerability VCID-qmpd-946c-gqbc
45
vulnerability VCID-qr9h-6dg8-gkh3
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-trd4-8vc9-ufab
51
vulnerability VCID-u5wv-47m4-8yd6
52
vulnerability VCID-x9ns-34nt-gfer
53
vulnerability VCID-xh7u-8ze6-cqhk
54
vulnerability VCID-y7az-a4um-jqff
55
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13
aliases CVE-2020-17513, GHSA-6r3p-fcvm-xh7c, PYSEC-2020-20
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9jm4-t1je-vqhm
23
url VCID-9tq4-v733-hug3
vulnerability_id VCID-9tq4-v733-hug3
summary Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.
references
0
reference_url https://github.com/advisories/GHSA-ffw3-6mp6-jmvj
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-ffw3-6mp6-jmvj
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/blob/486b76438c0679682cf98cb88ed39c4b161cbcc8/CHANGELOG.txt
reference_id
reference_type
scores
url https://github.com/apache/airflow/blob/486b76438c0679682cf98cb88ed39c4b161cbcc8/CHANGELOG.txt
3
reference_url https://github.com/apache/airflow/commit/3909232fafd09ac72b49010ecdfd6ea48f06d5cf
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/3909232fafd09ac72b49010ecdfd6ea48f06d5cf
4
reference_url https://github.com/apache/airflow/commit/5e35926c7eda0dfa11a9623e4bf5f60c2bd6b3f6
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/5e35926c7eda0dfa11a9623e4bf5f60c2bd6b3f6
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-2.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-2.yaml
6
reference_url https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E
8
reference_url http://www.openwall.com/lists/oss-security/2021/02/17/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/02/17/1
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-26559
reference_id CVE-2021-26559
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-26559
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.1rc1
purl pkg:pypi/apache-airflow@2.0.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-gn6e-a1yp-g7dw
29
vulnerability VCID-gz6e-b7dz-5qdf
30
vulnerability VCID-h6sp-398p-pbeg
31
vulnerability VCID-hah6-e5fc-juc5
32
vulnerability VCID-hy75-nfg7-zfae
33
vulnerability VCID-j86y-n37n-n7ft
34
vulnerability VCID-kh46-xrgm-9udx
35
vulnerability VCID-ks8d-9vr8-4feh
36
vulnerability VCID-mcbu-b45m-k3ck
37
vulnerability VCID-njyy-ywer-x7bf
38
vulnerability VCID-pu6f-xhvm-q3du
39
vulnerability VCID-pybp-gfy8-2qcr
40
vulnerability VCID-pypb-cezm-rkb2
41
vulnerability VCID-q84t-8dac-93dm
42
vulnerability VCID-qehu-58hj-67gn
43
vulnerability VCID-qmpd-946c-gqbc
44
vulnerability VCID-qr9h-6dg8-gkh3
45
vulnerability VCID-rkeh-vuxg-ubgn
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-u5wv-47m4-8yd6
51
vulnerability VCID-x9ns-34nt-gfer
52
vulnerability VCID-xh7u-8ze6-cqhk
53
vulnerability VCID-y7az-a4um-jqff
54
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1rc1
1
url pkg:pypi/apache-airflow@2.0.1
purl pkg:pypi/apache-airflow@2.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-due7-n14c-akfx
24
vulnerability VCID-ej1r-mp6n-gudd
25
vulnerability VCID-ez45-qkb4-xkba
26
vulnerability VCID-fbjk-2uvy-mqfc
27
vulnerability VCID-gn6e-a1yp-g7dw
28
vulnerability VCID-gz6e-b7dz-5qdf
29
vulnerability VCID-h6sp-398p-pbeg
30
vulnerability VCID-hah6-e5fc-juc5
31
vulnerability VCID-hy75-nfg7-zfae
32
vulnerability VCID-j86y-n37n-n7ft
33
vulnerability VCID-kh46-xrgm-9udx
34
vulnerability VCID-ks8d-9vr8-4feh
35
vulnerability VCID-mcbu-b45m-k3ck
36
vulnerability VCID-njyy-ywer-x7bf
37
vulnerability VCID-pu6f-xhvm-q3du
38
vulnerability VCID-pybp-gfy8-2qcr
39
vulnerability VCID-pypb-cezm-rkb2
40
vulnerability VCID-q84t-8dac-93dm
41
vulnerability VCID-qehu-58hj-67gn
42
vulnerability VCID-qmpd-946c-gqbc
43
vulnerability VCID-qr9h-6dg8-gkh3
44
vulnerability VCID-rkeh-vuxg-ubgn
45
vulnerability VCID-ryct-uaw3-fyfc
46
vulnerability VCID-suwt-h1ze-mydu
47
vulnerability VCID-t3ap-dzfp-1bd6
48
vulnerability VCID-t476-g5u5-1yeh
49
vulnerability VCID-u5wv-47m4-8yd6
50
vulnerability VCID-x9ns-34nt-gfer
51
vulnerability VCID-xh7u-8ze6-cqhk
52
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1
aliases CVE-2021-26559, GHSA-ffw3-6mp6-jmvj, PYSEC-2021-2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9tq4-v733-hug3
24
url VCID-amac-hqnj-xfgz
vulnerability_id VCID-amac-hqnj-xfgz
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
2
reference_url https://github.com/apache/airflow/pull/36255
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/36255
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
4
reference_url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
5
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/01/24/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
reference_id CVE-2023-50943
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
7
reference_url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
reference_id GHSA-c3c6-f2ww-xfr2
reference_type
scores
url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-6vg9-hu9u-q7c3
6
vulnerability VCID-835a-arqz-g7h7
7
vulnerability VCID-91n6-evww-zybp
8
vulnerability VCID-a64u-53x6-dfge
9
vulnerability VCID-amac-hqnj-xfgz
10
vulnerability VCID-dh4r-77xc-cbas
11
vulnerability VCID-djdy-z9r3-s3a2
12
vulnerability VCID-e5dn-tpzy-qqec
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-mcbu-b45m-k3ck
15
vulnerability VCID-pu6f-xhvm-q3du
16
vulnerability VCID-t3ap-dzfp-1bd6
17
vulnerability VCID-u5wv-47m4-8yd6
18
vulnerability VCID-x9ns-34nt-gfer
19
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-6vg9-hu9u-q7c3
5
vulnerability VCID-835a-arqz-g7h7
6
vulnerability VCID-91n6-evww-zybp
7
vulnerability VCID-a64u-53x6-dfge
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-e5dn-tpzy-qqec
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-mcbu-b45m-k3ck
13
vulnerability VCID-pu6f-xhvm-q3du
14
vulnerability VCID-t3ap-dzfp-1bd6
15
vulnerability VCID-u5wv-47m4-8yd6
16
vulnerability VCID-x9ns-34nt-gfer
17
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50943, GHSA-c3c6-f2ww-xfr2, PYSEC-2024-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz
25
url VCID-b3w3-h9cm-ufgm
vulnerability_id VCID-b3w3-h9cm-ufgm
summary 
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0

This issue affects Apache Airflow: before 2.6.0.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8
2
reference_url https://github.com/apache/airflow/pull/29706
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/29706
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml
4
reference_url https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15
reference_id
reference_type
scores
url https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-39508
reference_id CVE-2023-39508
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-39508
6
reference_url https://github.com/advisories/GHSA-269x-pg5c-5xgm
reference_id GHSA-269x-pg5c-5xgm
reference_type
scores
url https://github.com/advisories/GHSA-269x-pg5c-5xgm
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.0b1
purl pkg:pypi/apache-airflow@2.6.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-b3w3-h9cm-ufgm
16
vulnerability VCID-cahz-4dy7-bbe9
17
vulnerability VCID-csqr-pdvv-gfbh
18
vulnerability VCID-dh4r-77xc-cbas
19
vulnerability VCID-djdy-z9r3-s3a2
20
vulnerability VCID-ej1r-mp6n-gudd
21
vulnerability VCID-ez45-qkb4-xkba
22
vulnerability VCID-fbjk-2uvy-mqfc
23
vulnerability VCID-h6sp-398p-pbeg
24
vulnerability VCID-hy75-nfg7-zfae
25
vulnerability VCID-j86y-n37n-n7ft
26
vulnerability VCID-mcbu-b45m-k3ck
27
vulnerability VCID-njyy-ywer-x7bf
28
vulnerability VCID-pu6f-xhvm-q3du
29
vulnerability VCID-pypb-cezm-rkb2
30
vulnerability VCID-q4rb-1yt3-rqdk
31
vulnerability VCID-qmpd-946c-gqbc
32
vulnerability VCID-ryct-uaw3-fyfc
33
vulnerability VCID-suwt-h1ze-mydu
34
vulnerability VCID-t3ap-dzfp-1bd6
35
vulnerability VCID-t476-g5u5-1yeh
36
vulnerability VCID-u5wv-47m4-8yd6
37
vulnerability VCID-x9ns-34nt-gfer
38
vulnerability VCID-xh7u-8ze6-cqhk
39
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1
1
url pkg:pypi/apache-airflow@2.6.0
purl pkg:pypi/apache-airflow@2.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-cahz-4dy7-bbe9
16
vulnerability VCID-csqr-pdvv-gfbh
17
vulnerability VCID-dh4r-77xc-cbas
18
vulnerability VCID-djdy-z9r3-s3a2
19
vulnerability VCID-ej1r-mp6n-gudd
20
vulnerability VCID-ez45-qkb4-xkba
21
vulnerability VCID-fbjk-2uvy-mqfc
22
vulnerability VCID-h6sp-398p-pbeg
23
vulnerability VCID-hy75-nfg7-zfae
24
vulnerability VCID-j86y-n37n-n7ft
25
vulnerability VCID-mcbu-b45m-k3ck
26
vulnerability VCID-njyy-ywer-x7bf
27
vulnerability VCID-pu6f-xhvm-q3du
28
vulnerability VCID-pypb-cezm-rkb2
29
vulnerability VCID-q4rb-1yt3-rqdk
30
vulnerability VCID-ryct-uaw3-fyfc
31
vulnerability VCID-t3ap-dzfp-1bd6
32
vulnerability VCID-t476-g5u5-1yeh
33
vulnerability VCID-u5wv-47m4-8yd6
34
vulnerability VCID-wb11-e3rz-e3cf
35
vulnerability VCID-x9ns-34nt-gfer
36
vulnerability VCID-xh7u-8ze6-cqhk
37
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0
aliases CVE-2023-39508, GHSA-269x-pg5c-5xgm, PYSEC-2023-134
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b3w3-h9cm-ufgm
26
url VCID-bwd5-3jt5-pyb8
vulnerability_id VCID-bwd5-3jt5-pyb8
summary An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
references
0
reference_url https://github.com/advisories/GHSA-q4p3-qw5c-mhpc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-q4p3-qw5c-mhpc
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-17.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-17.yaml
3
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-11983
reference_id CVE-2020-11983
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-11983
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-quaj-w9r3-qya8
50
vulnerability VCID-reu2-2xcq-fqa4
51
vulnerability VCID-ryct-uaw3-fyfc
52
vulnerability VCID-suwt-h1ze-mydu
53
vulnerability VCID-t3ap-dzfp-1bd6
54
vulnerability VCID-t476-g5u5-1yeh
55
vulnerability VCID-trd4-8vc9-ufab
56
vulnerability VCID-u5wv-47m4-8yd6
57
vulnerability VCID-x9ns-34nt-gfer
58
vulnerability VCID-xh7u-8ze6-cqhk
59
vulnerability VCID-y7az-a4um-jqff
60
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
1
url pkg:pypi/apache-airflow@1.10.11
purl pkg:pypi/apache-airflow@1.10.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-reu2-2xcq-fqa4
50
vulnerability VCID-ryct-uaw3-fyfc
51
vulnerability VCID-suwt-h1ze-mydu
52
vulnerability VCID-t3ap-dzfp-1bd6
53
vulnerability VCID-t476-g5u5-1yeh
54
vulnerability VCID-trd4-8vc9-ufab
55
vulnerability VCID-u5wv-47m4-8yd6
56
vulnerability VCID-x9ns-34nt-gfer
57
vulnerability VCID-xh7u-8ze6-cqhk
58
vulnerability VCID-y7az-a4um-jqff
59
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11
aliases CVE-2020-11983, GHSA-q4p3-qw5c-mhpc, PYSEC-2020-17
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bwd5-3jt5-pyb8
27
url VCID-cahz-4dy7-bbe9
vulnerability_id VCID-cahz-4dy7-bbe9
summary 
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).

With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.

Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6
2
reference_url https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b
3
reference_url https://github.com/apache/airflow/pull/33347
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/33347
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml
5
reference_url https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj
6
reference_url https://www.openwall.com/lists/oss-security/2023/08/23/1
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://www.openwall.com/lists/oss-security/2023/08/23/1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40273
reference_id CVE-2023-40273
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40273
8
reference_url https://github.com/advisories/GHSA-pm87-24wq-r8w9
reference_id GHSA-pm87-24wq-r8w9
reference_type
scores
url https://github.com/advisories/GHSA-pm87-24wq-r8w9
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.0rc2
purl pkg:pypi/apache-airflow@2.7.0rc2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-cahz-4dy7-bbe9
15
vulnerability VCID-csqr-pdvv-gfbh
16
vulnerability VCID-dh4r-77xc-cbas
17
vulnerability VCID-djdy-z9r3-s3a2
18
vulnerability VCID-ej1r-mp6n-gudd
19
vulnerability VCID-fbjk-2uvy-mqfc
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pu6f-xhvm-q3du
24
vulnerability VCID-pypb-cezm-rkb2
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0rc2
1
url pkg:pypi/apache-airflow@2.7.1rc1
purl pkg:pypi/apache-airflow@2.7.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1jx5-34px-ukbz
1
vulnerability VCID-1w96-f72k-ryap
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-56eq-awhd-d3fr
6
vulnerability VCID-5cpd-kjpb-ekhv
7
vulnerability VCID-5jyk-dgtu-zfhd
8
vulnerability VCID-5zmy-2ape-7qfa
9
vulnerability VCID-6vg9-hu9u-q7c3
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-dh4r-77xc-cbas
16
vulnerability VCID-djdy-z9r3-s3a2
17
vulnerability VCID-ej1r-mp6n-gudd
18
vulnerability VCID-fbjk-2uvy-mqfc
19
vulnerability VCID-j86y-n37n-n7ft
20
vulnerability VCID-mcbu-b45m-k3ck
21
vulnerability VCID-njyy-ywer-x7bf
22
vulnerability VCID-pu6f-xhvm-q3du
23
vulnerability VCID-pypb-cezm-rkb2
24
vulnerability VCID-t3ap-dzfp-1bd6
25
vulnerability VCID-t476-g5u5-1yeh
26
vulnerability VCID-t7xp-8ua7-d7ff
27
vulnerability VCID-u5wv-47m4-8yd6
28
vulnerability VCID-wb11-e3rz-e3cf
29
vulnerability VCID-x9ns-34nt-gfer
30
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1
aliases CVE-2023-40273, GHSA-pm87-24wq-r8w9, PYSEC-2023-158
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cahz-4dy7-bbe9
28
url VCID-dh4r-77xc-cbas
vulnerability_id VCID-dh4r-77xc-cbas
summary 
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.

This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/29500
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/29500
2
reference_url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
reference_id CVE-2023-25693
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
4
reference_url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
reference_id GHSA-j69x-v4wc-3fpf
reference_type
scores
url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.1
purl pkg:pypi/apache-airflow@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2b14-1bp2-gua6
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-5hxx-r2d2-9ybk
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-9j1n-cypf-p7g5
7
vulnerability VCID-9ru4-qyks-hybs
8
vulnerability VCID-dhj9-usjr-nbfe
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-dzfs-e5ys-fbhz
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-etmw-7eq5-mqa2
13
vulnerability VCID-ezmu-8g1y-e3hz
14
vulnerability VCID-geg4-1kgh-akde
15
vulnerability VCID-hkwf-65vr-dkfz
16
vulnerability VCID-knrd-atwy-gubn
17
vulnerability VCID-pu6f-xhvm-q3du
18
vulnerability VCID-snqz-3f8t-syhd
19
vulnerability VCID-t3ap-dzfp-1bd6
20
vulnerability VCID-tbb9-myv7-a7h4
21
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1
aliases CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas
29
url VCID-djdy-z9r3-s3a2
vulnerability_id VCID-djdy-z9r3-s3a2
summary A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.
references
0
reference_url https://github.com/apache/airflow/pull/67289
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/67289
1
reference_url https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-57735
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://www.cve.org/CVERecord?id=CVE-2025-57735
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-48726, PYSEC-2026-187
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-djdy-z9r3-s3a2
30
url VCID-due7-n14c-akfx
vulnerability_id VCID-due7-n14c-akfx
summary If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.
references
0
reference_url https://github.com/advisories/GHSA-m6h2-jx9v-58w6
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-m6h2-jx9v-58w6
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/27265516d2b897585f5019ecd820cfe5471fd351
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/27265516d2b897585f5019ecd820cfe5471fd351
3
reference_url https://github.com/apache/airflow/commit/7a5bb88ad78d600fbb1676a55752597928115bd8
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/7a5bb88ad78d600fbb1676a55752597928115bd8
4
reference_url https://github.com/apache/airflow/commit/d772f38f843b9add5319a01cf51a844145b01f63
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d772f38f843b9add5319a01cf51a844145b01f63
5
reference_url https://github.com/apache/airflow/compare/2.1.1...2.1.2
reference_id
reference_type
scores
url https://github.com/apache/airflow/compare/2.1.1...2.1.2
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-122.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-122.yaml
7
reference_url https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-35936
reference_id CVE-2021-35936
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-35936
fixed_packages
0
url pkg:pypi/apache-airflow@2.1.2
purl pkg:pypi/apache-airflow@2.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-ej1r-mp6n-gudd
24
vulnerability VCID-ez45-qkb4-xkba
25
vulnerability VCID-fbjk-2uvy-mqfc
26
vulnerability VCID-gn6e-a1yp-g7dw
27
vulnerability VCID-gz6e-b7dz-5qdf
28
vulnerability VCID-h6sp-398p-pbeg
29
vulnerability VCID-hah6-e5fc-juc5
30
vulnerability VCID-hy75-nfg7-zfae
31
vulnerability VCID-j86y-n37n-n7ft
32
vulnerability VCID-kh46-xrgm-9udx
33
vulnerability VCID-mcbu-b45m-k3ck
34
vulnerability VCID-njyy-ywer-x7bf
35
vulnerability VCID-pu6f-xhvm-q3du
36
vulnerability VCID-pybp-gfy8-2qcr
37
vulnerability VCID-pypb-cezm-rkb2
38
vulnerability VCID-q84t-8dac-93dm
39
vulnerability VCID-qehu-58hj-67gn
40
vulnerability VCID-qmpd-946c-gqbc
41
vulnerability VCID-qr9h-6dg8-gkh3
42
vulnerability VCID-rkeh-vuxg-ubgn
43
vulnerability VCID-ryct-uaw3-fyfc
44
vulnerability VCID-suwt-h1ze-mydu
45
vulnerability VCID-t3ap-dzfp-1bd6
46
vulnerability VCID-t476-g5u5-1yeh
47
vulnerability VCID-u5wv-47m4-8yd6
48
vulnerability VCID-x9ns-34nt-gfer
49
vulnerability VCID-xh7u-8ze6-cqhk
50
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.1.2
aliases CVE-2021-35936, GHSA-m6h2-jx9v-58w6, PYSEC-2021-122
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-due7-n14c-akfx
31
url VCID-ej1r-mp6n-gudd
vulnerability_id VCID-ej1r-mp6n-gudd
summary A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.
references
0
reference_url https://github.com/apache/airflow/pull/66673
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/66673
1
reference_url https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd
2
reference_url http://www.openwall.com/lists/oss-security/2026/06/01/3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/06/01/3
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-45192, PYSEC-2026-173
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ej1r-mp6n-gudd
32
url VCID-ez45-qkb4-xkba
vulnerability_id VCID-ez45-qkb4-xkba
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8
2
reference_url https://github.com/apache/airflow/pull/32309
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32309
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml
4
reference_url https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
reference_id
reference_type
scores
url https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-46651
reference_id CVE-2022-46651
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-46651
6
reference_url https://github.com/advisories/GHSA-xvw9-3mhm-xjqq
reference_id GHSA-xvw9-3mhm-xjqq
reference_type
scores
url https://github.com/advisories/GHSA-xvw9-3mhm-xjqq
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-cahz-4dy7-bbe9
15
vulnerability VCID-csqr-pdvv-gfbh
16
vulnerability VCID-dh4r-77xc-cbas
17
vulnerability VCID-djdy-z9r3-s3a2
18
vulnerability VCID-ej1r-mp6n-gudd
19
vulnerability VCID-fbjk-2uvy-mqfc
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pu6f-xhvm-q3du
24
vulnerability VCID-pypb-cezm-rkb2
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2022-46651, GHSA-xvw9-3mhm-xjqq, PYSEC-2023-103
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ez45-qkb4-xkba
33
url VCID-fbjk-2uvy-mqfc
vulnerability_id VCID-fbjk-2uvy-mqfc
summary 
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. 

Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. 

Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
2
reference_url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
3
reference_url https://github.com/apache/airflow/pull/33413
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33413
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml
5
reference_url https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
reference_id
reference_type
scores
url https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47037
reference_id CVE-2023-47037
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-47037
7
reference_url https://github.com/advisories/GHSA-hm9r-7f84-25c9
reference_id GHSA-hm9r-7f84-25c9
reference_type
scores
url https://github.com/advisories/GHSA-hm9r-7f84-25c9
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.3
purl pkg:pypi/apache-airflow@2.7.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5jyk-dgtu-zfhd
6
vulnerability VCID-6vg9-hu9u-q7c3
7
vulnerability VCID-835a-arqz-g7h7
8
vulnerability VCID-91n6-evww-zybp
9
vulnerability VCID-a64u-53x6-dfge
10
vulnerability VCID-amac-hqnj-xfgz
11
vulnerability VCID-dh4r-77xc-cbas
12
vulnerability VCID-djdy-z9r3-s3a2
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-j86y-n37n-n7ft
15
vulnerability VCID-mcbu-b45m-k3ck
16
vulnerability VCID-pu6f-xhvm-q3du
17
vulnerability VCID-t3ap-dzfp-1bd6
18
vulnerability VCID-t7xp-8ua7-d7ff
19
vulnerability VCID-u5wv-47m4-8yd6
20
vulnerability VCID-wb11-e3rz-e3cf
21
vulnerability VCID-x9ns-34nt-gfer
22
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3
aliases CVE-2023-47037, GHSA-hm9r-7f84-25c9, PYSEC-2023-232
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fbjk-2uvy-mqfc
34
url VCID-frbp-mhhr-8bdt
vulnerability_id VCID-frbp-mhhr-8bdt
summary 
Edge3 Worker RPC RCE on Airflow 2.

This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2.



The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do.

If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2.

If you used Edge Provider in Airflow 3, you are not affected.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/59143
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/59143
2
reference_url https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs
3
reference_url http://www.openwall.com/lists/oss-security/2025/12/16/3
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url http://www.openwall.com/lists/oss-security/2025/12/16/3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67895
reference_id CVE-2025-67895
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-67895
5
reference_url https://github.com/advisories/GHSA-66h8-3g48-6hx8
reference_id GHSA-66h8-3g48-6hx8
reference_type
scores
url https://github.com/advisories/GHSA-66h8-3g48-6hx8
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.0
purl pkg:pypi/apache-airflow@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-gn6e-a1yp-g7dw
29
vulnerability VCID-gz6e-b7dz-5qdf
30
vulnerability VCID-h6sp-398p-pbeg
31
vulnerability VCID-hah6-e5fc-juc5
32
vulnerability VCID-hy75-nfg7-zfae
33
vulnerability VCID-j86y-n37n-n7ft
34
vulnerability VCID-kh46-xrgm-9udx
35
vulnerability VCID-ks8d-9vr8-4feh
36
vulnerability VCID-mcbu-b45m-k3ck
37
vulnerability VCID-njyy-ywer-x7bf
38
vulnerability VCID-pu6f-xhvm-q3du
39
vulnerability VCID-pybp-gfy8-2qcr
40
vulnerability VCID-pypb-cezm-rkb2
41
vulnerability VCID-q84t-8dac-93dm
42
vulnerability VCID-qehu-58hj-67gn
43
vulnerability VCID-qmpd-946c-gqbc
44
vulnerability VCID-qr9h-6dg8-gkh3
45
vulnerability VCID-rkeh-vuxg-ubgn
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-u5wv-47m4-8yd6
51
vulnerability VCID-x9ns-34nt-gfer
52
vulnerability VCID-xh7u-8ze6-cqhk
53
vulnerability VCID-y7az-a4um-jqff
54
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.0
aliases CVE-2025-67895, GHSA-66h8-3g48-6hx8, PYSEC-2025-87
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-frbp-mhhr-8bdt
35
url VCID-gn6e-a1yp-g7dw
vulnerability_id VCID-gn6e-a1yp-g7dw
summary In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.
references
0
reference_url https://github.com/advisories/GHSA-4jh2-3c85-q67h
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-4jh2-3c85-q67h
1
reference_url https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl
reference_id
reference_type
scores
url https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-45230
reference_id CVE-2021-45230
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-45230
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.0b1
purl pkg:pypi/apache-airflow@2.0.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-frbp-mhhr-8bdt
29
vulnerability VCID-gz6e-b7dz-5qdf
30
vulnerability VCID-h6sp-398p-pbeg
31
vulnerability VCID-hah6-e5fc-juc5
32
vulnerability VCID-hy75-nfg7-zfae
33
vulnerability VCID-j86y-n37n-n7ft
34
vulnerability VCID-kh46-xrgm-9udx
35
vulnerability VCID-mcbu-b45m-k3ck
36
vulnerability VCID-njyy-ywer-x7bf
37
vulnerability VCID-pe8h-9hgu-j3hx
38
vulnerability VCID-pu6f-xhvm-q3du
39
vulnerability VCID-pybp-gfy8-2qcr
40
vulnerability VCID-pypb-cezm-rkb2
41
vulnerability VCID-q84t-8dac-93dm
42
vulnerability VCID-qehu-58hj-67gn
43
vulnerability VCID-qmpd-946c-gqbc
44
vulnerability VCID-qr9h-6dg8-gkh3
45
vulnerability VCID-ryct-uaw3-fyfc
46
vulnerability VCID-suwt-h1ze-mydu
47
vulnerability VCID-t3ap-dzfp-1bd6
48
vulnerability VCID-t476-g5u5-1yeh
49
vulnerability VCID-u5wv-47m4-8yd6
50
vulnerability VCID-x9ns-34nt-gfer
51
vulnerability VCID-xh7u-8ze6-cqhk
52
vulnerability VCID-y7az-a4um-jqff
53
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.0b1
1
url pkg:pypi/apache-airflow@2.2.0
purl pkg:pypi/apache-airflow@2.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-ej1r-mp6n-gudd
24
vulnerability VCID-ez45-qkb4-xkba
25
vulnerability VCID-fbjk-2uvy-mqfc
26
vulnerability VCID-gz6e-b7dz-5qdf
27
vulnerability VCID-h6sp-398p-pbeg
28
vulnerability VCID-hah6-e5fc-juc5
29
vulnerability VCID-hy75-nfg7-zfae
30
vulnerability VCID-j86y-n37n-n7ft
31
vulnerability VCID-kh46-xrgm-9udx
32
vulnerability VCID-mcbu-b45m-k3ck
33
vulnerability VCID-njyy-ywer-x7bf
34
vulnerability VCID-pu6f-xhvm-q3du
35
vulnerability VCID-pybp-gfy8-2qcr
36
vulnerability VCID-pypb-cezm-rkb2
37
vulnerability VCID-q84t-8dac-93dm
38
vulnerability VCID-qehu-58hj-67gn
39
vulnerability VCID-qmpd-946c-gqbc
40
vulnerability VCID-qr9h-6dg8-gkh3
41
vulnerability VCID-ryct-uaw3-fyfc
42
vulnerability VCID-suwt-h1ze-mydu
43
vulnerability VCID-t3ap-dzfp-1bd6
44
vulnerability VCID-t476-g5u5-1yeh
45
vulnerability VCID-u5wv-47m4-8yd6
46
vulnerability VCID-x9ns-34nt-gfer
47
vulnerability VCID-xh7u-8ze6-cqhk
48
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.0
aliases CVE-2021-45230, GHSA-4jh2-3c85-q67h, PYSEC-2022-11
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gn6e-a1yp-g7dw
36
url VCID-gz6e-b7dz-5qdf
vulnerability_id VCID-gz6e-b7dz-5qdf
summary In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.
references
0
reference_url https://github.com/advisories/GHSA-q8h9-pqcx-59hw
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-q8h9-pqcx-59hw
1
reference_url https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv
reference_id
reference_type
scores
url https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv
2
reference_url http://www.openwall.com/lists/oss-security/2022/09/02/12
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/09/02/12
3
reference_url http://www.openwall.com/lists/oss-security/2022/09/02/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/09/02/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.3.4
purl pkg:pypi/apache-airflow@2.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-2ysx-9hz5-fyfm
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4bps-htex-tqgk
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-56eq-awhd-d3fr
7
vulnerability VCID-5cpd-kjpb-ekhv
8
vulnerability VCID-5jyk-dgtu-zfhd
9
vulnerability VCID-5yxa-ubfq-fqdx
10
vulnerability VCID-5zmy-2ape-7qfa
11
vulnerability VCID-6gjt-zsju-47a3
12
vulnerability VCID-6pk8-baws-e3dt
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-ej1r-mp6n-gudd
24
vulnerability VCID-ez45-qkb4-xkba
25
vulnerability VCID-fbjk-2uvy-mqfc
26
vulnerability VCID-h6sp-398p-pbeg
27
vulnerability VCID-hah6-e5fc-juc5
28
vulnerability VCID-hy75-nfg7-zfae
29
vulnerability VCID-j86y-n37n-n7ft
30
vulnerability VCID-kh46-xrgm-9udx
31
vulnerability VCID-mcbu-b45m-k3ck
32
vulnerability VCID-njyy-ywer-x7bf
33
vulnerability VCID-pu6f-xhvm-q3du
34
vulnerability VCID-pypb-cezm-rkb2
35
vulnerability VCID-q84t-8dac-93dm
36
vulnerability VCID-qehu-58hj-67gn
37
vulnerability VCID-qmpd-946c-gqbc
38
vulnerability VCID-ryct-uaw3-fyfc
39
vulnerability VCID-suwt-h1ze-mydu
40
vulnerability VCID-t3ap-dzfp-1bd6
41
vulnerability VCID-t476-g5u5-1yeh
42
vulnerability VCID-u5wv-47m4-8yd6
43
vulnerability VCID-x9ns-34nt-gfer
44
vulnerability VCID-xh7u-8ze6-cqhk
45
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.4
aliases CVE-2022-38170, GHSA-q8h9-pqcx-59hw, PYSEC-2022-261
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gz6e-b7dz-5qdf
37
url VCID-h6sp-398p-pbeg
vulnerability_id VCID-h6sp-398p-pbeg
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
2
reference_url https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3
3
reference_url https://github.com/apache/airflow/pull/32293
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32293
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml
5
reference_url https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo
reference_id
reference_type
scores
url https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22887
reference_id CVE-2023-22887
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-22887
7
reference_url https://github.com/advisories/GHSA-ggwr-4vr8-g7wv
reference_id GHSA-ggwr-4vr8-g7wv
reference_type
scores
url https://github.com/advisories/GHSA-ggwr-4vr8-g7wv
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-cahz-4dy7-bbe9
15
vulnerability VCID-csqr-pdvv-gfbh
16
vulnerability VCID-dh4r-77xc-cbas
17
vulnerability VCID-djdy-z9r3-s3a2
18
vulnerability VCID-ej1r-mp6n-gudd
19
vulnerability VCID-fbjk-2uvy-mqfc
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pu6f-xhvm-q3du
24
vulnerability VCID-pypb-cezm-rkb2
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-22887, GHSA-ggwr-4vr8-g7wv, PYSEC-2023-104
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h6sp-398p-pbeg
38
url VCID-hah6-e5fc-juc5
vulnerability_id VCID-hah6-e5fc-juc5
summary Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951
2
reference_url https://github.com/apache/airflow/pull/29501
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/29501
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml
4
reference_url https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2
reference_id
reference_type
scores
url https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25695
reference_id CVE-2023-25695
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25695
6
reference_url https://github.com/advisories/GHSA-h6g5-wqqr-3mw3
reference_id GHSA-h6g5-wqqr-3mw3
reference_type
scores
url https://github.com/advisories/GHSA-h6g5-wqqr-3mw3
fixed_packages
0
url pkg:pypi/apache-airflow@2.5.2rc1
purl pkg:pypi/apache-airflow@2.5.2rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-b3w3-h9cm-ufgm
16
vulnerability VCID-cahz-4dy7-bbe9
17
vulnerability VCID-csqr-pdvv-gfbh
18
vulnerability VCID-dh4r-77xc-cbas
19
vulnerability VCID-djdy-z9r3-s3a2
20
vulnerability VCID-ej1r-mp6n-gudd
21
vulnerability VCID-ez45-qkb4-xkba
22
vulnerability VCID-fbjk-2uvy-mqfc
23
vulnerability VCID-h6sp-398p-pbeg
24
vulnerability VCID-hah6-e5fc-juc5
25
vulnerability VCID-hy75-nfg7-zfae
26
vulnerability VCID-j86y-n37n-n7ft
27
vulnerability VCID-mcbu-b45m-k3ck
28
vulnerability VCID-njyy-ywer-x7bf
29
vulnerability VCID-pu6f-xhvm-q3du
30
vulnerability VCID-pypb-cezm-rkb2
31
vulnerability VCID-q4rb-1yt3-rqdk
32
vulnerability VCID-qmpd-946c-gqbc
33
vulnerability VCID-ryct-uaw3-fyfc
34
vulnerability VCID-suwt-h1ze-mydu
35
vulnerability VCID-t3ap-dzfp-1bd6
36
vulnerability VCID-t476-g5u5-1yeh
37
vulnerability VCID-u5wv-47m4-8yd6
38
vulnerability VCID-x9ns-34nt-gfer
39
vulnerability VCID-xh7u-8ze6-cqhk
40
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2rc1
1
url pkg:pypi/apache-airflow@2.5.2
purl pkg:pypi/apache-airflow@2.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-b3w3-h9cm-ufgm
16
vulnerability VCID-cahz-4dy7-bbe9
17
vulnerability VCID-csqr-pdvv-gfbh
18
vulnerability VCID-dh4r-77xc-cbas
19
vulnerability VCID-djdy-z9r3-s3a2
20
vulnerability VCID-ej1r-mp6n-gudd
21
vulnerability VCID-ez45-qkb4-xkba
22
vulnerability VCID-fbjk-2uvy-mqfc
23
vulnerability VCID-h6sp-398p-pbeg
24
vulnerability VCID-hy75-nfg7-zfae
25
vulnerability VCID-j86y-n37n-n7ft
26
vulnerability VCID-mcbu-b45m-k3ck
27
vulnerability VCID-njyy-ywer-x7bf
28
vulnerability VCID-pu6f-xhvm-q3du
29
vulnerability VCID-pypb-cezm-rkb2
30
vulnerability VCID-q4rb-1yt3-rqdk
31
vulnerability VCID-qmpd-946c-gqbc
32
vulnerability VCID-ryct-uaw3-fyfc
33
vulnerability VCID-suwt-h1ze-mydu
34
vulnerability VCID-t3ap-dzfp-1bd6
35
vulnerability VCID-t476-g5u5-1yeh
36
vulnerability VCID-u5wv-47m4-8yd6
37
vulnerability VCID-x9ns-34nt-gfer
38
vulnerability VCID-xh7u-8ze6-cqhk
39
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2
aliases CVE-2023-25695, GHSA-h6g5-wqqr-3mw3, PYSEC-2023-2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hah6-e5fc-juc5
39
url VCID-hy75-nfg7-zfae
vulnerability_id VCID-hy75-nfg7-zfae
summary Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02
2
reference_url https://github.com/apache/airflow/pull/32293
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32293
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml
4
reference_url https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z
reference_id
reference_type
scores
url https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22888
reference_id CVE-2023-22888
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-22888
6
reference_url https://github.com/advisories/GHSA-5946-8p38-vffp
reference_id GHSA-5946-8p38-vffp
reference_type
scores
url https://github.com/advisories/GHSA-5946-8p38-vffp
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-cahz-4dy7-bbe9
15
vulnerability VCID-csqr-pdvv-gfbh
16
vulnerability VCID-dh4r-77xc-cbas
17
vulnerability VCID-djdy-z9r3-s3a2
18
vulnerability VCID-ej1r-mp6n-gudd
19
vulnerability VCID-fbjk-2uvy-mqfc
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pu6f-xhvm-q3du
24
vulnerability VCID-pypb-cezm-rkb2
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-22888, GHSA-5946-8p38-vffp, PYSEC-2023-105
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hy75-nfg7-zfae
40
url VCID-j86y-n37n-n7ft
vulnerability_id VCID-j86y-n37n-n7ft
summary 
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.

This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 

Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c
2
reference_url https://github.com/apache/airflow/pull/34366
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://github.com/apache/airflow/pull/34366
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml
4
reference_url https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3
5
reference_url http://www.openwall.com/lists/oss-security/2023/12/21/1
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url http://www.openwall.com/lists/oss-security/2023/12/21/1
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48291
reference_id CVE-2023-48291
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-48291
7
reference_url https://github.com/advisories/GHSA-8f57-wcmg-4jmh
reference_id GHSA-8f57-wcmg-4jmh
reference_type
scores
url https://github.com/advisories/GHSA-8f57-wcmg-4jmh
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.0
purl pkg:pypi/apache-airflow@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-6vg9-hu9u-q7c3
6
vulnerability VCID-835a-arqz-g7h7
7
vulnerability VCID-91n6-evww-zybp
8
vulnerability VCID-a64u-53x6-dfge
9
vulnerability VCID-amac-hqnj-xfgz
10
vulnerability VCID-dh4r-77xc-cbas
11
vulnerability VCID-djdy-z9r3-s3a2
12
vulnerability VCID-e5dn-tpzy-qqec
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-mcbu-b45m-k3ck
15
vulnerability VCID-pu6f-xhvm-q3du
16
vulnerability VCID-t3ap-dzfp-1bd6
17
vulnerability VCID-u5wv-47m4-8yd6
18
vulnerability VCID-x9ns-34nt-gfer
19
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0
aliases CVE-2023-48291, GHSA-8f57-wcmg-4jmh, PYSEC-2023-265
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j86y-n37n-n7ft
41
url VCID-jq98-gxbc-pydt
vulnerability_id VCID-jq98-gxbc-pydt
summary An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.
references
0
reference_url https://github.com/advisories/GHSA-j38c-25fj-mr84
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-j38c-25fj-mr84
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-23.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-23.yaml
3
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-9485
reference_id CVE-2020-9485
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-9485
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-quaj-w9r3-qya8
50
vulnerability VCID-reu2-2xcq-fqa4
51
vulnerability VCID-ryct-uaw3-fyfc
52
vulnerability VCID-suwt-h1ze-mydu
53
vulnerability VCID-t3ap-dzfp-1bd6
54
vulnerability VCID-t476-g5u5-1yeh
55
vulnerability VCID-trd4-8vc9-ufab
56
vulnerability VCID-u5wv-47m4-8yd6
57
vulnerability VCID-x9ns-34nt-gfer
58
vulnerability VCID-xh7u-8ze6-cqhk
59
vulnerability VCID-y7az-a4um-jqff
60
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
1
url pkg:pypi/apache-airflow@1.10.11
purl pkg:pypi/apache-airflow@1.10.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-reu2-2xcq-fqa4
50
vulnerability VCID-ryct-uaw3-fyfc
51
vulnerability VCID-suwt-h1ze-mydu
52
vulnerability VCID-t3ap-dzfp-1bd6
53
vulnerability VCID-t476-g5u5-1yeh
54
vulnerability VCID-trd4-8vc9-ufab
55
vulnerability VCID-u5wv-47m4-8yd6
56
vulnerability VCID-x9ns-34nt-gfer
57
vulnerability VCID-xh7u-8ze6-cqhk
58
vulnerability VCID-y7az-a4um-jqff
59
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11
aliases CVE-2020-9485, GHSA-j38c-25fj-mr84, PYSEC-2020-23
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jq98-gxbc-pydt
42
url VCID-kh46-xrgm-9udx
vulnerability_id VCID-kh46-xrgm-9udx
summary In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
references
0
reference_url https://github.com/apache/airflow/pull/26635
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/26635
1
reference_url https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
reference_id
reference_type
scores
url https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.2rc1
purl pkg:pypi/apache-airflow@2.4.2rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-2ysx-9hz5-fyfm
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-56eq-awhd-d3fr
6
vulnerability VCID-5cpd-kjpb-ekhv
7
vulnerability VCID-5jyk-dgtu-zfhd
8
vulnerability VCID-5yxa-ubfq-fqdx
9
vulnerability VCID-5zmy-2ape-7qfa
10
vulnerability VCID-6gjt-zsju-47a3
11
vulnerability VCID-6vg9-hu9u-q7c3
12
vulnerability VCID-71hr-1ews-9qa6
13
vulnerability VCID-835a-arqz-g7h7
14
vulnerability VCID-91n6-evww-zybp
15
vulnerability VCID-98yf-mvnw-d3b4
16
vulnerability VCID-a64u-53x6-dfge
17
vulnerability VCID-amac-hqnj-xfgz
18
vulnerability VCID-b3w3-h9cm-ufgm
19
vulnerability VCID-cahz-4dy7-bbe9
20
vulnerability VCID-csqr-pdvv-gfbh
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-ej1r-mp6n-gudd
24
vulnerability VCID-ez45-qkb4-xkba
25
vulnerability VCID-fbjk-2uvy-mqfc
26
vulnerability VCID-h6sp-398p-pbeg
27
vulnerability VCID-hah6-e5fc-juc5
28
vulnerability VCID-hy75-nfg7-zfae
29
vulnerability VCID-j86y-n37n-n7ft
30
vulnerability VCID-mcbu-b45m-k3ck
31
vulnerability VCID-njyy-ywer-x7bf
32
vulnerability VCID-pu6f-xhvm-q3du
33
vulnerability VCID-pypb-cezm-rkb2
34
vulnerability VCID-qehu-58hj-67gn
35
vulnerability VCID-qmpd-946c-gqbc
36
vulnerability VCID-ryct-uaw3-fyfc
37
vulnerability VCID-suwt-h1ze-mydu
38
vulnerability VCID-t3ap-dzfp-1bd6
39
vulnerability VCID-t476-g5u5-1yeh
40
vulnerability VCID-u5wv-47m4-8yd6
41
vulnerability VCID-x9ns-34nt-gfer
42
vulnerability VCID-xh7u-8ze6-cqhk
43
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2rc1
aliases CVE-2022-41672, PYSEC-2022-42983
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kh46-xrgm-9udx
43
url VCID-ks8d-9vr8-4feh
vulnerability_id VCID-ks8d-9vr8-4feh
summary The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
references
0
reference_url https://github.com/advisories/GHSA-3xxv-p78r-4fc6
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-3xxv-p78r-4fc6
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/2fef2ab1bf0f8c727a503940c9c65fd5be208386
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2fef2ab1bf0f8c727a503940c9c65fd5be208386
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-4.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-4.yaml
4
reference_url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
5
reference_url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-28359
reference_id CVE-2021-28359
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-28359
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.15
purl pkg:pypi/apache-airflow@1.10.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-frbp-mhhr-8bdt
29
vulnerability VCID-gn6e-a1yp-g7dw
30
vulnerability VCID-gz6e-b7dz-5qdf
31
vulnerability VCID-h6sp-398p-pbeg
32
vulnerability VCID-hah6-e5fc-juc5
33
vulnerability VCID-hy75-nfg7-zfae
34
vulnerability VCID-j86y-n37n-n7ft
35
vulnerability VCID-kh46-xrgm-9udx
36
vulnerability VCID-mcbu-b45m-k3ck
37
vulnerability VCID-njyy-ywer-x7bf
38
vulnerability VCID-pu6f-xhvm-q3du
39
vulnerability VCID-pybp-gfy8-2qcr
40
vulnerability VCID-pypb-cezm-rkb2
41
vulnerability VCID-q84t-8dac-93dm
42
vulnerability VCID-qehu-58hj-67gn
43
vulnerability VCID-qmpd-946c-gqbc
44
vulnerability VCID-qr9h-6dg8-gkh3
45
vulnerability VCID-ryct-uaw3-fyfc
46
vulnerability VCID-suwt-h1ze-mydu
47
vulnerability VCID-t3ap-dzfp-1bd6
48
vulnerability VCID-t476-g5u5-1yeh
49
vulnerability VCID-u5wv-47m4-8yd6
50
vulnerability VCID-x9ns-34nt-gfer
51
vulnerability VCID-xh7u-8ze6-cqhk
52
vulnerability VCID-y7az-a4um-jqff
53
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.15
1
url pkg:pypi/apache-airflow@2.0.2
purl pkg:pypi/apache-airflow@2.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-due7-n14c-akfx
24
vulnerability VCID-ej1r-mp6n-gudd
25
vulnerability VCID-ez45-qkb4-xkba
26
vulnerability VCID-fbjk-2uvy-mqfc
27
vulnerability VCID-gn6e-a1yp-g7dw
28
vulnerability VCID-gz6e-b7dz-5qdf
29
vulnerability VCID-h6sp-398p-pbeg
30
vulnerability VCID-hah6-e5fc-juc5
31
vulnerability VCID-hy75-nfg7-zfae
32
vulnerability VCID-j86y-n37n-n7ft
33
vulnerability VCID-kh46-xrgm-9udx
34
vulnerability VCID-mcbu-b45m-k3ck
35
vulnerability VCID-njyy-ywer-x7bf
36
vulnerability VCID-pu6f-xhvm-q3du
37
vulnerability VCID-pybp-gfy8-2qcr
38
vulnerability VCID-pypb-cezm-rkb2
39
vulnerability VCID-q84t-8dac-93dm
40
vulnerability VCID-qehu-58hj-67gn
41
vulnerability VCID-qmpd-946c-gqbc
42
vulnerability VCID-qr9h-6dg8-gkh3
43
vulnerability VCID-rkeh-vuxg-ubgn
44
vulnerability VCID-ryct-uaw3-fyfc
45
vulnerability VCID-suwt-h1ze-mydu
46
vulnerability VCID-t3ap-dzfp-1bd6
47
vulnerability VCID-t476-g5u5-1yeh
48
vulnerability VCID-u5wv-47m4-8yd6
49
vulnerability VCID-x9ns-34nt-gfer
50
vulnerability VCID-xh7u-8ze6-cqhk
51
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.2
aliases CVE-2021-28359, GHSA-3xxv-p78r-4fc6, PYSEC-2021-4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ks8d-9vr8-4feh
44
url VCID-mcbu-b45m-k3ck
vulnerability_id VCID-mcbu-b45m-k3ck
summary 
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98
2
reference_url https://github.com/apache/airflow/pull/40933
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://github.com/apache/airflow/pull/40933
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml
4
reference_url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
5
reference_url http://www.openwall.com/lists/oss-security/2024/08/21/3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url http://www.openwall.com/lists/oss-security/2024/08/21/3
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41937
reference_id CVE-2024-41937
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-41937
7
reference_url https://github.com/advisories/GHSA-w7cp-g8v7-r54m
reference_id GHSA-w7cp-g8v7-r54m
reference_type
scores
url https://github.com/advisories/GHSA-w7cp-g8v7-r54m
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.0
purl pkg:pypi/apache-airflow@2.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-53rr-p2an-3bg9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-pu6f-xhvm-q3du
10
vulnerability VCID-t3ap-dzfp-1bd6
11
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0
aliases CVE-2024-41937, GHSA-w7cp-g8v7-r54m, PYSEC-2024-181
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck
45
url VCID-njyy-ywer-x7bf
vulnerability_id VCID-njyy-ywer-x7bf
summary 
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/34366
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://github.com/apache/airflow/pull/34366
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml
3
reference_url https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42792
reference_id CVE-2023-42792
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42792
5
reference_url https://github.com/advisories/GHSA-j3w8-2p2h-mrr9
reference_id GHSA-j3w8-2p2h-mrr9
reference_type
scores
url https://github.com/advisories/GHSA-j3w8-2p2h-mrr9
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.2
purl pkg:pypi/apache-airflow@2.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5jyk-dgtu-zfhd
6
vulnerability VCID-6vg9-hu9u-q7c3
7
vulnerability VCID-835a-arqz-g7h7
8
vulnerability VCID-91n6-evww-zybp
9
vulnerability VCID-98yf-mvnw-d3b4
10
vulnerability VCID-a64u-53x6-dfge
11
vulnerability VCID-amac-hqnj-xfgz
12
vulnerability VCID-dh4r-77xc-cbas
13
vulnerability VCID-djdy-z9r3-s3a2
14
vulnerability VCID-ej1r-mp6n-gudd
15
vulnerability VCID-fbjk-2uvy-mqfc
16
vulnerability VCID-j86y-n37n-n7ft
17
vulnerability VCID-mcbu-b45m-k3ck
18
vulnerability VCID-pu6f-xhvm-q3du
19
vulnerability VCID-t3ap-dzfp-1bd6
20
vulnerability VCID-t7xp-8ua7-d7ff
21
vulnerability VCID-u5wv-47m4-8yd6
22
vulnerability VCID-wb11-e3rz-e3cf
23
vulnerability VCID-x9ns-34nt-gfer
24
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2
aliases CVE-2023-42792, GHSA-j3w8-2p2h-mrr9, PYSEC-2023-203
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-njyy-ywer-x7bf
46
url VCID-p9we-cpy2-17h4
vulnerability_id VCID-p9we-cpy2-17h4
summary An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
references
0
reference_url https://github.com/advisories/GHSA-9g2w-5f3v-mfmm
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-9g2w-5f3v-mfmm
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/13612
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/13612
3
reference_url https://github.com/apache/airflow/pull/7205
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/7205
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-16.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-16.yaml
5
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-11982
reference_id CVE-2020-11982
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-11982
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-quaj-w9r3-qya8
50
vulnerability VCID-reu2-2xcq-fqa4
51
vulnerability VCID-ryct-uaw3-fyfc
52
vulnerability VCID-suwt-h1ze-mydu
53
vulnerability VCID-t3ap-dzfp-1bd6
54
vulnerability VCID-t476-g5u5-1yeh
55
vulnerability VCID-trd4-8vc9-ufab
56
vulnerability VCID-u5wv-47m4-8yd6
57
vulnerability VCID-x9ns-34nt-gfer
58
vulnerability VCID-xh7u-8ze6-cqhk
59
vulnerability VCID-y7az-a4um-jqff
60
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
1
url pkg:pypi/apache-airflow@1.10.11
purl pkg:pypi/apache-airflow@1.10.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-reu2-2xcq-fqa4
50
vulnerability VCID-ryct-uaw3-fyfc
51
vulnerability VCID-suwt-h1ze-mydu
52
vulnerability VCID-t3ap-dzfp-1bd6
53
vulnerability VCID-t476-g5u5-1yeh
54
vulnerability VCID-trd4-8vc9-ufab
55
vulnerability VCID-u5wv-47m4-8yd6
56
vulnerability VCID-x9ns-34nt-gfer
57
vulnerability VCID-xh7u-8ze6-cqhk
58
vulnerability VCID-y7az-a4um-jqff
59
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11
aliases CVE-2020-11982, GHSA-9g2w-5f3v-mfmm, PYSEC-2020-16
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p9we-cpy2-17h4
47
url VCID-pe8h-9hgu-j3hx
vulnerability_id VCID-pe8h-9hgu-j3hx
summary The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.
references
0
reference_url https://github.com/advisories/GHSA-86vp-x3pr-79rx
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-86vp-x3pr-79rx
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/13336272e32872247fa7d17e964ccd88ec8d1376
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/13336272e32872247fa7d17e964ccd88ec8d1376
3
reference_url https://github.com/apache/airflow/commit/409c249121bd9c8902fc2ba551b21873ab41f953
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/409c249121bd9c8902fc2ba551b21873ab41f953
4
reference_url https://github.com/apache/airflow/commit/7486153f451e4d2bb1c6fd9cbb5a63430157c99c
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/7486153f451e4d2bb1c6fd9cbb5a63430157c99c
5
reference_url https://github.com/apache/airflow/commit/ab8c55878e3e4257d2276226cb17b047ba856686
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/ab8c55878e3e4257d2276226cb17b047ba856686
6
reference_url https://github.com/apache/airflow/commit/c6369beed53d41c0a70415b0d958bf0604124ad7
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/c6369beed53d41c0a70415b0d958bf0604124ad7
7
reference_url https://github.com/apache/airflow/pull/14738
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/14738
8
reference_url https://github.com/apache/airflow/releases/tag/1.10.15
reference_id
reference_type
scores
url https://github.com/apache/airflow/releases/tag/1.10.15
9
reference_url https://github.com/apache/airflow/releases/tag/2.0.2
reference_id
reference_type
scores
url https://github.com/apache/airflow/releases/tag/2.0.2
10
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-21.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-21.yaml
11
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
12
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
13
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
14
reference_url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
15
reference_url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
16
reference_url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
17
reference_url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
18
reference_url https://pypi.org/project/apache-airflow
reference_id
reference_type
scores
url https://pypi.org/project/apache-airflow
19
reference_url http://www.openwall.com/lists/oss-security/2020/12/11/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/12/11/2
20
reference_url http://www.openwall.com/lists/oss-security/2021/05/01/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/05/01/2
21
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-17515
reference_id CVE-2020-17515
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-17515
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.13
purl pkg:pypi/apache-airflow@1.10.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-frbp-mhhr-8bdt
29
vulnerability VCID-gn6e-a1yp-g7dw
30
vulnerability VCID-gz6e-b7dz-5qdf
31
vulnerability VCID-h6sp-398p-pbeg
32
vulnerability VCID-hah6-e5fc-juc5
33
vulnerability VCID-hy75-nfg7-zfae
34
vulnerability VCID-j86y-n37n-n7ft
35
vulnerability VCID-kh46-xrgm-9udx
36
vulnerability VCID-ks8d-9vr8-4feh
37
vulnerability VCID-mcbu-b45m-k3ck
38
vulnerability VCID-njyy-ywer-x7bf
39
vulnerability VCID-pu6f-xhvm-q3du
40
vulnerability VCID-pybp-gfy8-2qcr
41
vulnerability VCID-pypb-cezm-rkb2
42
vulnerability VCID-q84t-8dac-93dm
43
vulnerability VCID-qehu-58hj-67gn
44
vulnerability VCID-qmpd-946c-gqbc
45
vulnerability VCID-qr9h-6dg8-gkh3
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-trd4-8vc9-ufab
51
vulnerability VCID-u5wv-47m4-8yd6
52
vulnerability VCID-x9ns-34nt-gfer
53
vulnerability VCID-xh7u-8ze6-cqhk
54
vulnerability VCID-y7az-a4um-jqff
55
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13
1
url pkg:pypi/apache-airflow@1.10.15rc1
purl pkg:pypi/apache-airflow@1.10.15rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-frbp-mhhr-8bdt
29
vulnerability VCID-gn6e-a1yp-g7dw
30
vulnerability VCID-gz6e-b7dz-5qdf
31
vulnerability VCID-h6sp-398p-pbeg
32
vulnerability VCID-hah6-e5fc-juc5
33
vulnerability VCID-hy75-nfg7-zfae
34
vulnerability VCID-j86y-n37n-n7ft
35
vulnerability VCID-kh46-xrgm-9udx
36
vulnerability VCID-ks8d-9vr8-4feh
37
vulnerability VCID-mcbu-b45m-k3ck
38
vulnerability VCID-njyy-ywer-x7bf
39
vulnerability VCID-pu6f-xhvm-q3du
40
vulnerability VCID-pybp-gfy8-2qcr
41
vulnerability VCID-pypb-cezm-rkb2
42
vulnerability VCID-q84t-8dac-93dm
43
vulnerability VCID-qehu-58hj-67gn
44
vulnerability VCID-qmpd-946c-gqbc
45
vulnerability VCID-qr9h-6dg8-gkh3
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-u5wv-47m4-8yd6
51
vulnerability VCID-x9ns-34nt-gfer
52
vulnerability VCID-xh7u-8ze6-cqhk
53
vulnerability VCID-y7az-a4um-jqff
54
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.15rc1
2
url pkg:pypi/apache-airflow@2.0.2rc1
purl pkg:pypi/apache-airflow@2.0.2rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-due7-n14c-akfx
24
vulnerability VCID-ej1r-mp6n-gudd
25
vulnerability VCID-ez45-qkb4-xkba
26
vulnerability VCID-fbjk-2uvy-mqfc
27
vulnerability VCID-gn6e-a1yp-g7dw
28
vulnerability VCID-gz6e-b7dz-5qdf
29
vulnerability VCID-h6sp-398p-pbeg
30
vulnerability VCID-hah6-e5fc-juc5
31
vulnerability VCID-hy75-nfg7-zfae
32
vulnerability VCID-j86y-n37n-n7ft
33
vulnerability VCID-kh46-xrgm-9udx
34
vulnerability VCID-ks8d-9vr8-4feh
35
vulnerability VCID-mcbu-b45m-k3ck
36
vulnerability VCID-njyy-ywer-x7bf
37
vulnerability VCID-pu6f-xhvm-q3du
38
vulnerability VCID-pybp-gfy8-2qcr
39
vulnerability VCID-pypb-cezm-rkb2
40
vulnerability VCID-q84t-8dac-93dm
41
vulnerability VCID-qehu-58hj-67gn
42
vulnerability VCID-qmpd-946c-gqbc
43
vulnerability VCID-qr9h-6dg8-gkh3
44
vulnerability VCID-rkeh-vuxg-ubgn
45
vulnerability VCID-ryct-uaw3-fyfc
46
vulnerability VCID-suwt-h1ze-mydu
47
vulnerability VCID-t3ap-dzfp-1bd6
48
vulnerability VCID-t476-g5u5-1yeh
49
vulnerability VCID-u5wv-47m4-8yd6
50
vulnerability VCID-x9ns-34nt-gfer
51
vulnerability VCID-xh7u-8ze6-cqhk
52
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.2rc1
aliases CVE-2020-17515, GHSA-86vp-x3pr-79rx, PYSEC-2020-21
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pe8h-9hgu-j3hx
48
url VCID-pu6f-xhvm-q3du
vulnerability_id VCID-pu6f-xhvm-q3du
summary A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
references
0
reference_url https://github.com/apache/airflow/pull/65906
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/65906
1
reference_url https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-42360, PYSEC-2026-172
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pu6f-xhvm-q3du
49
url VCID-pybp-gfy8-2qcr
vulnerability_id VCID-pybp-gfy8-2qcr
summary In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
references
0
reference_url https://github.com/advisories/GHSA-3v7g-4pg3-7r6j
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-3v7g-4pg3-7r6j
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml
3
reference_url https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t
reference_id
reference_type
scores
url https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24288
reference_id CVE-2022-24288
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-24288
fixed_packages
0
url pkg:pypi/apache-airflow@2.2.4
purl pkg:pypi/apache-airflow@2.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-2ysx-9hz5-fyfm
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-4xax-xw67-2qfv
6
vulnerability VCID-56eq-awhd-d3fr
7
vulnerability VCID-5cpd-kjpb-ekhv
8
vulnerability VCID-5jyk-dgtu-zfhd
9
vulnerability VCID-5nys-mzgw-4khd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-ej1r-mp6n-gudd
24
vulnerability VCID-ez45-qkb4-xkba
25
vulnerability VCID-fbjk-2uvy-mqfc
26
vulnerability VCID-gz6e-b7dz-5qdf
27
vulnerability VCID-h6sp-398p-pbeg
28
vulnerability VCID-hah6-e5fc-juc5
29
vulnerability VCID-hy75-nfg7-zfae
30
vulnerability VCID-j86y-n37n-n7ft
31
vulnerability VCID-kh46-xrgm-9udx
32
vulnerability VCID-mcbu-b45m-k3ck
33
vulnerability VCID-njyy-ywer-x7bf
34
vulnerability VCID-pu6f-xhvm-q3du
35
vulnerability VCID-pypb-cezm-rkb2
36
vulnerability VCID-q84t-8dac-93dm
37
vulnerability VCID-qehu-58hj-67gn
38
vulnerability VCID-qmpd-946c-gqbc
39
vulnerability VCID-qr9h-6dg8-gkh3
40
vulnerability VCID-ryct-uaw3-fyfc
41
vulnerability VCID-suwt-h1ze-mydu
42
vulnerability VCID-t3ap-dzfp-1bd6
43
vulnerability VCID-t476-g5u5-1yeh
44
vulnerability VCID-u5wv-47m4-8yd6
45
vulnerability VCID-x9ns-34nt-gfer
46
vulnerability VCID-xh7u-8ze6-cqhk
47
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4
aliases CVE-2022-24288, GHSA-3v7g-4pg3-7r6j, PYSEC-2022-30
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pybp-gfy8-2qcr
50
url VCID-pypb-cezm-rkb2
vulnerability_id VCID-pypb-cezm-rkb2
summary 
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.

Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
2
reference_url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
3
reference_url https://github.com/apache/airflow/pull/33413
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/33413
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml
5
reference_url https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
reference_id
reference_type
scores
url https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40611
reference_id CVE-2023-40611
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40611
7
reference_url https://github.com/advisories/GHSA-wpg8-mf6h-gm92
reference_id GHSA-wpg8-mf6h-gm92
reference_type
scores
url https://github.com/advisories/GHSA-wpg8-mf6h-gm92
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.1
purl pkg:pypi/apache-airflow@2.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1jx5-34px-ukbz
1
vulnerability VCID-1w96-f72k-ryap
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-56eq-awhd-d3fr
6
vulnerability VCID-5cpd-kjpb-ekhv
7
vulnerability VCID-5jyk-dgtu-zfhd
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-dh4r-77xc-cbas
15
vulnerability VCID-djdy-z9r3-s3a2
16
vulnerability VCID-ej1r-mp6n-gudd
17
vulnerability VCID-fbjk-2uvy-mqfc
18
vulnerability VCID-j86y-n37n-n7ft
19
vulnerability VCID-mcbu-b45m-k3ck
20
vulnerability VCID-njyy-ywer-x7bf
21
vulnerability VCID-pu6f-xhvm-q3du
22
vulnerability VCID-t3ap-dzfp-1bd6
23
vulnerability VCID-t476-g5u5-1yeh
24
vulnerability VCID-t7xp-8ua7-d7ff
25
vulnerability VCID-u5wv-47m4-8yd6
26
vulnerability VCID-wb11-e3rz-e3cf
27
vulnerability VCID-x9ns-34nt-gfer
28
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1
aliases CVE-2023-40611, GHSA-wpg8-mf6h-gm92, PYSEC-2023-170
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pypb-cezm-rkb2
51
url VCID-q84t-8dac-93dm
vulnerability_id VCID-q84t-8dac-93dm
summary A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
references
0
reference_url https://github.com/apache/airflow/pull/25960
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/25960
1
reference_url https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
reference_id
reference_type
scores
url https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
2
reference_url http://www.openwall.com/lists/oss-security/2022/11/14/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/11/14/2
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.0
purl pkg:pypi/apache-airflow@2.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-2ysx-9hz5-fyfm
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-56eq-awhd-d3fr
6
vulnerability VCID-5cpd-kjpb-ekhv
7
vulnerability VCID-5jyk-dgtu-zfhd
8
vulnerability VCID-5yxa-ubfq-fqdx
9
vulnerability VCID-5zmy-2ape-7qfa
10
vulnerability VCID-6gjt-zsju-47a3
11
vulnerability VCID-6vg9-hu9u-q7c3
12
vulnerability VCID-71hr-1ews-9qa6
13
vulnerability VCID-835a-arqz-g7h7
14
vulnerability VCID-91n6-evww-zybp
15
vulnerability VCID-98yf-mvnw-d3b4
16
vulnerability VCID-a64u-53x6-dfge
17
vulnerability VCID-amac-hqnj-xfgz
18
vulnerability VCID-b3w3-h9cm-ufgm
19
vulnerability VCID-cahz-4dy7-bbe9
20
vulnerability VCID-csqr-pdvv-gfbh
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-ej1r-mp6n-gudd
24
vulnerability VCID-ez45-qkb4-xkba
25
vulnerability VCID-fbjk-2uvy-mqfc
26
vulnerability VCID-h6sp-398p-pbeg
27
vulnerability VCID-hah6-e5fc-juc5
28
vulnerability VCID-hy75-nfg7-zfae
29
vulnerability VCID-j86y-n37n-n7ft
30
vulnerability VCID-kh46-xrgm-9udx
31
vulnerability VCID-mcbu-b45m-k3ck
32
vulnerability VCID-njyy-ywer-x7bf
33
vulnerability VCID-pu6f-xhvm-q3du
34
vulnerability VCID-pypb-cezm-rkb2
35
vulnerability VCID-qehu-58hj-67gn
36
vulnerability VCID-qmpd-946c-gqbc
37
vulnerability VCID-ryct-uaw3-fyfc
38
vulnerability VCID-suwt-h1ze-mydu
39
vulnerability VCID-t3ap-dzfp-1bd6
40
vulnerability VCID-t476-g5u5-1yeh
41
vulnerability VCID-u5wv-47m4-8yd6
42
vulnerability VCID-x9ns-34nt-gfer
43
vulnerability VCID-xh7u-8ze6-cqhk
44
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.0
aliases CVE-2022-40127, PYSEC-2022-42982
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q84t-8dac-93dm
52
url VCID-qehu-58hj-67gn
vulnerability_id VCID-qehu-58hj-67gn
summary In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.
references
0
reference_url https://github.com/apache/airflow/pull/27576
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/27576
1
reference_url https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh
reference_id
reference_type
scores
url https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh
2
reference_url http://www.openwall.com/lists/oss-security/2022/11/15/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/11/15/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.4.3
purl pkg:pypi/apache-airflow@2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-b3w3-h9cm-ufgm
16
vulnerability VCID-cahz-4dy7-bbe9
17
vulnerability VCID-csqr-pdvv-gfbh
18
vulnerability VCID-dh4r-77xc-cbas
19
vulnerability VCID-djdy-z9r3-s3a2
20
vulnerability VCID-ej1r-mp6n-gudd
21
vulnerability VCID-ez45-qkb4-xkba
22
vulnerability VCID-fbjk-2uvy-mqfc
23
vulnerability VCID-h6sp-398p-pbeg
24
vulnerability VCID-hah6-e5fc-juc5
25
vulnerability VCID-hy75-nfg7-zfae
26
vulnerability VCID-j86y-n37n-n7ft
27
vulnerability VCID-mcbu-b45m-k3ck
28
vulnerability VCID-njyy-ywer-x7bf
29
vulnerability VCID-pu6f-xhvm-q3du
30
vulnerability VCID-pypb-cezm-rkb2
31
vulnerability VCID-qmpd-946c-gqbc
32
vulnerability VCID-ryct-uaw3-fyfc
33
vulnerability VCID-suwt-h1ze-mydu
34
vulnerability VCID-t3ap-dzfp-1bd6
35
vulnerability VCID-t476-g5u5-1yeh
36
vulnerability VCID-u5wv-47m4-8yd6
37
vulnerability VCID-x9ns-34nt-gfer
38
vulnerability VCID-xh7u-8ze6-cqhk
39
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3
aliases CVE-2022-45402, PYSEC-2022-42984
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qehu-58hj-67gn
53
url VCID-qmpd-946c-gqbc
vulnerability_id VCID-qmpd-946c-gqbc
summary Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473
2
reference_url https://github.com/apache/airflow/pull/29506
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/29506
3
reference_url https://github.com/apache/airflow/releases/tag/2.6.0
reference_id
reference_type
scores
url https://github.com/apache/airflow/releases/tag/2.6.0
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml
5
reference_url https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v
reference_id
reference_type
scores
url https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v
6
reference_url https://www.openwall.com/lists/oss-security/2023/05/08/2
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/05/08/2
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25754
reference_id CVE-2023-25754
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25754
8
reference_url https://github.com/advisories/GHSA-jchm-fm4q-c2fp
reference_id GHSA-jchm-fm4q-c2fp
reference_type
scores
url https://github.com/advisories/GHSA-jchm-fm4q-c2fp
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.0b1
purl pkg:pypi/apache-airflow@2.6.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-b3w3-h9cm-ufgm
16
vulnerability VCID-cahz-4dy7-bbe9
17
vulnerability VCID-csqr-pdvv-gfbh
18
vulnerability VCID-dh4r-77xc-cbas
19
vulnerability VCID-djdy-z9r3-s3a2
20
vulnerability VCID-ej1r-mp6n-gudd
21
vulnerability VCID-ez45-qkb4-xkba
22
vulnerability VCID-fbjk-2uvy-mqfc
23
vulnerability VCID-h6sp-398p-pbeg
24
vulnerability VCID-hy75-nfg7-zfae
25
vulnerability VCID-j86y-n37n-n7ft
26
vulnerability VCID-mcbu-b45m-k3ck
27
vulnerability VCID-njyy-ywer-x7bf
28
vulnerability VCID-pu6f-xhvm-q3du
29
vulnerability VCID-pypb-cezm-rkb2
30
vulnerability VCID-q4rb-1yt3-rqdk
31
vulnerability VCID-qmpd-946c-gqbc
32
vulnerability VCID-ryct-uaw3-fyfc
33
vulnerability VCID-suwt-h1ze-mydu
34
vulnerability VCID-t3ap-dzfp-1bd6
35
vulnerability VCID-t476-g5u5-1yeh
36
vulnerability VCID-u5wv-47m4-8yd6
37
vulnerability VCID-x9ns-34nt-gfer
38
vulnerability VCID-xh7u-8ze6-cqhk
39
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1
1
url pkg:pypi/apache-airflow@2.6.0
purl pkg:pypi/apache-airflow@2.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-cahz-4dy7-bbe9
16
vulnerability VCID-csqr-pdvv-gfbh
17
vulnerability VCID-dh4r-77xc-cbas
18
vulnerability VCID-djdy-z9r3-s3a2
19
vulnerability VCID-ej1r-mp6n-gudd
20
vulnerability VCID-ez45-qkb4-xkba
21
vulnerability VCID-fbjk-2uvy-mqfc
22
vulnerability VCID-h6sp-398p-pbeg
23
vulnerability VCID-hy75-nfg7-zfae
24
vulnerability VCID-j86y-n37n-n7ft
25
vulnerability VCID-mcbu-b45m-k3ck
26
vulnerability VCID-njyy-ywer-x7bf
27
vulnerability VCID-pu6f-xhvm-q3du
28
vulnerability VCID-pypb-cezm-rkb2
29
vulnerability VCID-q4rb-1yt3-rqdk
30
vulnerability VCID-ryct-uaw3-fyfc
31
vulnerability VCID-t3ap-dzfp-1bd6
32
vulnerability VCID-t476-g5u5-1yeh
33
vulnerability VCID-u5wv-47m4-8yd6
34
vulnerability VCID-wb11-e3rz-e3cf
35
vulnerability VCID-x9ns-34nt-gfer
36
vulnerability VCID-xh7u-8ze6-cqhk
37
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0
aliases CVE-2023-25754, GHSA-jchm-fm4q-c2fp, PYSEC-2023-59
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qmpd-946c-gqbc
54
url VCID-qr9h-6dg8-gkh3
vulnerability_id VCID-qr9h-6dg8-gkh3
summary Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3
2
reference_url https://github.com/apache/airflow/pull/30215
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/30215
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml
4
reference_url https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk
reference_id
reference_type
scores
url https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk
5
reference_url https://www.openwall.com/lists/oss-security/2023/04/07/1
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/04/07/1
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28707
reference_id CVE-2023-28707
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-28707
7
reference_url https://github.com/advisories/GHSA-85pf-r4c7-3j9r
reference_id GHSA-85pf-r4c7-3j9r
reference_type
scores
url https://github.com/advisories/GHSA-85pf-r4c7-3j9r
fixed_packages
0
url pkg:pypi/apache-airflow@2.3.2
purl pkg:pypi/apache-airflow@2.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-2ysx-9hz5-fyfm
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4bps-htex-tqgk
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-56eq-awhd-d3fr
7
vulnerability VCID-5cpd-kjpb-ekhv
8
vulnerability VCID-5jyk-dgtu-zfhd
9
vulnerability VCID-5nys-mzgw-4khd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6pk8-baws-e3dt
14
vulnerability VCID-6vg9-hu9u-q7c3
15
vulnerability VCID-71hr-1ews-9qa6
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-ej1r-mp6n-gudd
25
vulnerability VCID-ez45-qkb4-xkba
26
vulnerability VCID-fbjk-2uvy-mqfc
27
vulnerability VCID-gz6e-b7dz-5qdf
28
vulnerability VCID-h6sp-398p-pbeg
29
vulnerability VCID-hah6-e5fc-juc5
30
vulnerability VCID-hy75-nfg7-zfae
31
vulnerability VCID-j86y-n37n-n7ft
32
vulnerability VCID-kh46-xrgm-9udx
33
vulnerability VCID-mcbu-b45m-k3ck
34
vulnerability VCID-njyy-ywer-x7bf
35
vulnerability VCID-pu6f-xhvm-q3du
36
vulnerability VCID-pypb-cezm-rkb2
37
vulnerability VCID-q84t-8dac-93dm
38
vulnerability VCID-qehu-58hj-67gn
39
vulnerability VCID-qmpd-946c-gqbc
40
vulnerability VCID-ryct-uaw3-fyfc
41
vulnerability VCID-suwt-h1ze-mydu
42
vulnerability VCID-t3ap-dzfp-1bd6
43
vulnerability VCID-t476-g5u5-1yeh
44
vulnerability VCID-u5wv-47m4-8yd6
45
vulnerability VCID-x9ns-34nt-gfer
46
vulnerability VCID-xh7u-8ze6-cqhk
47
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.2
aliases CVE-2023-28707, GHSA-85pf-r4c7-3j9r, PYSEC-2023-3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qr9h-6dg8-gkh3
55
url VCID-quaj-w9r3-qya8
vulnerability_id VCID-quaj-w9r3-qya8
summary The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default
references
0
reference_url http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html
reference_id
reference_type
scores
url http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html
1
reference_url https://airflow.apache.org/docs/apache-airflow/1.10.11/security.html#api-authentication
reference_id
reference_type
scores
url https://airflow.apache.org/docs/apache-airflow/1.10.11/security.html#api-authentication
2
reference_url https://github.com/advisories/GHSA-hhx9-p69v-cx2j
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-hhx9-p69v-cx2j
3
reference_url https://github.com/apache/airflow/pull/9611/commits/c8053e166d45ad519c0a1cd4480e025a759c176e
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/9611/commits/c8053e166d45ad519c0a1cd4480e025a759c176e
4
reference_url https://github.com/apache/airflow/releases/tag/1.10.11
reference_id
reference_type
scores
url https://github.com/apache/airflow/releases/tag/1.10.11
5
reference_url https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-13927
reference_id CVE-2020-13927
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-13927
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11
purl pkg:pypi/apache-airflow@1.10.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-reu2-2xcq-fqa4
50
vulnerability VCID-ryct-uaw3-fyfc
51
vulnerability VCID-suwt-h1ze-mydu
52
vulnerability VCID-t3ap-dzfp-1bd6
53
vulnerability VCID-t476-g5u5-1yeh
54
vulnerability VCID-trd4-8vc9-ufab
55
vulnerability VCID-u5wv-47m4-8yd6
56
vulnerability VCID-x9ns-34nt-gfer
57
vulnerability VCID-xh7u-8ze6-cqhk
58
vulnerability VCID-y7az-a4um-jqff
59
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11
aliases CVE-2020-13927, GHSA-hhx9-p69v-cx2j, PYSEC-2020-18
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-quaj-w9r3-qya8
56
url VCID-reu2-2xcq-fqa4
vulnerability_id VCID-reu2-2xcq-fqa4
summary In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
references
0
reference_url https://github.com/advisories/GHSA-4pwq-fj89-6rjc
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-4pwq-fj89-6rjc
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/5c2bb7b0b0e717b11f093910b443243330ad93ca
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/5c2bb7b0b0e717b11f093910b443243330ad93ca
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-19.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-19.yaml
4
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
5
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
6
reference_url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E
9
reference_url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
10
reference_url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
11
reference_url http://www.openwall.com/lists/oss-security/2020/12/11/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/12/11/2
12
reference_url http://www.openwall.com/lists/oss-security/2021/05/01/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/05/01/2
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-13944
reference_id CVE-2020-13944
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-13944
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.12
purl pkg:pypi/apache-airflow@1.10.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-ryct-uaw3-fyfc
50
vulnerability VCID-suwt-h1ze-mydu
51
vulnerability VCID-t3ap-dzfp-1bd6
52
vulnerability VCID-t476-g5u5-1yeh
53
vulnerability VCID-trd4-8vc9-ufab
54
vulnerability VCID-u5wv-47m4-8yd6
55
vulnerability VCID-x9ns-34nt-gfer
56
vulnerability VCID-xh7u-8ze6-cqhk
57
vulnerability VCID-y7az-a4um-jqff
58
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.12
aliases CVE-2020-13944, GHSA-4pwq-fj89-6rjc, PYSEC-2020-19
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-reu2-2xcq-fqa4
57
url VCID-ryct-uaw3-fyfc
vulnerability_id VCID-ryct-uaw3-fyfc
summary 
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603
2
reference_url https://github.com/apache/airflow/pull/32052
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
url https://github.com/apache/airflow/pull/32052
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml
4
reference_url https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
url https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r
5
reference_url http://www.openwall.com/lists/oss-security/2023/08/23/4
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
url http://www.openwall.com/lists/oss-security/2023/08/23/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37379
reference_id CVE-2023-37379
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-37379
7
reference_url https://github.com/advisories/GHSA-x2mh-8fmc-rqgh
reference_id GHSA-x2mh-8fmc-rqgh
reference_type
scores
url https://github.com/advisories/GHSA-x2mh-8fmc-rqgh
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.0b1
purl pkg:pypi/apache-airflow@2.7.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-cahz-4dy7-bbe9
15
vulnerability VCID-csqr-pdvv-gfbh
16
vulnerability VCID-dh4r-77xc-cbas
17
vulnerability VCID-djdy-z9r3-s3a2
18
vulnerability VCID-ej1r-mp6n-gudd
19
vulnerability VCID-fbjk-2uvy-mqfc
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pu6f-xhvm-q3du
24
vulnerability VCID-pypb-cezm-rkb2
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0b1
1
url pkg:pypi/apache-airflow@2.7.0
purl pkg:pypi/apache-airflow@2.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1jx5-34px-ukbz
1
vulnerability VCID-1w96-f72k-ryap
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-3h3z-bfsc-jqax
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-56eq-awhd-d3fr
6
vulnerability VCID-5cpd-kjpb-ekhv
7
vulnerability VCID-5jyk-dgtu-zfhd
8
vulnerability VCID-5zmy-2ape-7qfa
9
vulnerability VCID-6vg9-hu9u-q7c3
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-c5dx-r8gh-93fm
16
vulnerability VCID-cahz-4dy7-bbe9
17
vulnerability VCID-dh4r-77xc-cbas
18
vulnerability VCID-djdy-z9r3-s3a2
19
vulnerability VCID-ej1r-mp6n-gudd
20
vulnerability VCID-fbjk-2uvy-mqfc
21
vulnerability VCID-j86y-n37n-n7ft
22
vulnerability VCID-mcbu-b45m-k3ck
23
vulnerability VCID-njyy-ywer-x7bf
24
vulnerability VCID-pu6f-xhvm-q3du
25
vulnerability VCID-pypb-cezm-rkb2
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-t7xp-8ua7-d7ff
29
vulnerability VCID-u5wv-47m4-8yd6
30
vulnerability VCID-wb11-e3rz-e3cf
31
vulnerability VCID-x9ns-34nt-gfer
32
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0
aliases CVE-2023-37379, GHSA-x2mh-8fmc-rqgh, PYSEC-2023-152
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ryct-uaw3-fyfc
58
url VCID-suwt-h1ze-mydu
vulnerability_id VCID-suwt-h1ze-mydu
summary Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75
2
reference_url https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e
3
reference_url https://github.com/apache/airflow/pull/30447
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/30447
4
reference_url https://github.com/apache/airflow/pull/30779
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/30779
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml
6
reference_url https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl
reference_id
reference_type
scores
url https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29247
reference_id CVE-2023-29247
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-29247
8
reference_url https://github.com/advisories/GHSA-vcf6-3wv2-5vcr
reference_id GHSA-vcf6-3wv2-5vcr
reference_type
scores
url https://github.com/advisories/GHSA-vcf6-3wv2-5vcr
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.0
purl pkg:pypi/apache-airflow@2.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-71hr-1ews-9qa6
10
vulnerability VCID-835a-arqz-g7h7
11
vulnerability VCID-91n6-evww-zybp
12
vulnerability VCID-98yf-mvnw-d3b4
13
vulnerability VCID-a64u-53x6-dfge
14
vulnerability VCID-amac-hqnj-xfgz
15
vulnerability VCID-cahz-4dy7-bbe9
16
vulnerability VCID-csqr-pdvv-gfbh
17
vulnerability VCID-dh4r-77xc-cbas
18
vulnerability VCID-djdy-z9r3-s3a2
19
vulnerability VCID-ej1r-mp6n-gudd
20
vulnerability VCID-ez45-qkb4-xkba
21
vulnerability VCID-fbjk-2uvy-mqfc
22
vulnerability VCID-h6sp-398p-pbeg
23
vulnerability VCID-hy75-nfg7-zfae
24
vulnerability VCID-j86y-n37n-n7ft
25
vulnerability VCID-mcbu-b45m-k3ck
26
vulnerability VCID-njyy-ywer-x7bf
27
vulnerability VCID-pu6f-xhvm-q3du
28
vulnerability VCID-pypb-cezm-rkb2
29
vulnerability VCID-q4rb-1yt3-rqdk
30
vulnerability VCID-ryct-uaw3-fyfc
31
vulnerability VCID-t3ap-dzfp-1bd6
32
vulnerability VCID-t476-g5u5-1yeh
33
vulnerability VCID-u5wv-47m4-8yd6
34
vulnerability VCID-wb11-e3rz-e3cf
35
vulnerability VCID-x9ns-34nt-gfer
36
vulnerability VCID-xh7u-8ze6-cqhk
37
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0
aliases CVE-2023-29247, GHSA-vcf6-3wv2-5vcr, PYSEC-2023-60
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-suwt-h1ze-mydu
59
url VCID-t3ap-dzfp-1bd6
vulnerability_id VCID-t3ap-dzfp-1bd6
summary 
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/59688
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/59688
2
reference_url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
3
reference_url http://www.openwall.com/lists/oss-security/2026/01/15/6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/01/15/6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
reference_id CVE-2025-68675
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
5
reference_url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
reference_id GHSA-7c2f-r6gc-h92h
reference_type
scores
url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
fixed_packages
0
url pkg:pypi/apache-airflow@2.11.1
purl pkg:pypi/apache-airflow@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5jyk-dgtu-zfhd
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-djdy-z9r3-s3a2
6
vulnerability VCID-ej1r-mp6n-gudd
7
vulnerability VCID-pu6f-xhvm-q3du
8
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1
1
url pkg:pypi/apache-airflow@3.1.6
purl pkg:pypi/apache-airflow@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2b14-1bp2-gua6
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-5hxx-r2d2-9ybk
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-9j1n-cypf-p7g5
7
vulnerability VCID-9ru4-qyks-hybs
8
vulnerability VCID-dhj9-usjr-nbfe
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-dzfs-e5ys-fbhz
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-etmw-7eq5-mqa2
13
vulnerability VCID-geg4-1kgh-akde
14
vulnerability VCID-hkwf-65vr-dkfz
15
vulnerability VCID-knrd-atwy-gubn
16
vulnerability VCID-pu6f-xhvm-q3du
17
vulnerability VCID-tbb9-myv7-a7h4
18
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6
aliases CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6
60
url VCID-t476-g5u5-1yeh
vulnerability_id VCID-t476-g5u5-1yeh
summary 
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/34355
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/34355
1
reference_url https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42780
reference_id CVE-2023-42780
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-42780
3
reference_url https://github.com/advisories/GHSA-cgx2-rrmr-jx43
reference_id GHSA-cgx2-rrmr-jx43
reference_type
scores
url https://github.com/advisories/GHSA-cgx2-rrmr-jx43
fixed_packages
0
url pkg:pypi/apache-airflow@2.7.2
purl pkg:pypi/apache-airflow@2.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5jyk-dgtu-zfhd
6
vulnerability VCID-6vg9-hu9u-q7c3
7
vulnerability VCID-835a-arqz-g7h7
8
vulnerability VCID-91n6-evww-zybp
9
vulnerability VCID-98yf-mvnw-d3b4
10
vulnerability VCID-a64u-53x6-dfge
11
vulnerability VCID-amac-hqnj-xfgz
12
vulnerability VCID-dh4r-77xc-cbas
13
vulnerability VCID-djdy-z9r3-s3a2
14
vulnerability VCID-ej1r-mp6n-gudd
15
vulnerability VCID-fbjk-2uvy-mqfc
16
vulnerability VCID-j86y-n37n-n7ft
17
vulnerability VCID-mcbu-b45m-k3ck
18
vulnerability VCID-pu6f-xhvm-q3du
19
vulnerability VCID-t3ap-dzfp-1bd6
20
vulnerability VCID-t7xp-8ua7-d7ff
21
vulnerability VCID-u5wv-47m4-8yd6
22
vulnerability VCID-wb11-e3rz-e3cf
23
vulnerability VCID-x9ns-34nt-gfer
24
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2
aliases CVE-2023-42780, GHSA-cgx2-rrmr-jx43, PYSEC-2023-202
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t476-g5u5-1yeh
61
url VCID-trd4-8vc9-ufab
vulnerability_id VCID-trd4-8vc9-ufab
summary Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.
references
0
reference_url https://github.com/advisories/GHSA-7mx5-x372-xh87
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-7mx5-x372-xh87
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/2f3b1c780472afd4c8a93633e6633feb7083792e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2f3b1c780472afd4c8a93633e6633feb7083792e
3
reference_url https://github.com/apache/airflow/commit/6b065840323f9a4fc8e372b458d26e419e4fa99b
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/6b065840323f9a4fc8e372b458d26e419e4fa99b
4
reference_url https://github.com/apache/airflow/commit/97b2735d65e95c4633966667b6db3908540f3937
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/97b2735d65e95c4633966667b6db3908540f3937
5
reference_url https://github.com/apache/airflow/commit/9e01476a50b9be27c4b1e6c6e24d36f290629195
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/9e01476a50b9be27c4b1e6c6e24d36f290629195
6
reference_url https://github.com/apache/airflow/commit/a8900fa5f2b8963e9f57ba4ae5520a5d339aeaad
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/a8900fa5f2b8963e9f57ba4ae5520a5d339aeaad
7
reference_url https://github.com/apache/airflow/commit/dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6
8
reference_url https://github.com/apache/airflow/commit/fe6d00a54f83468e296777d3b83b65a2ae7169ec
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/fe6d00a54f83468e296777d3b83b65a2ae7169ec
9
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-22.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-22.yaml
10
reference_url https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E
11
reference_url https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
12
reference_url http://www.openwall.com/lists/oss-security/2020/12/21/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2020/12/21/1
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-17526
reference_id CVE-2020-17526
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-17526
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.14
purl pkg:pypi/apache-airflow@1.10.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-frbp-mhhr-8bdt
29
vulnerability VCID-gn6e-a1yp-g7dw
30
vulnerability VCID-gz6e-b7dz-5qdf
31
vulnerability VCID-h6sp-398p-pbeg
32
vulnerability VCID-hah6-e5fc-juc5
33
vulnerability VCID-hy75-nfg7-zfae
34
vulnerability VCID-j86y-n37n-n7ft
35
vulnerability VCID-kh46-xrgm-9udx
36
vulnerability VCID-ks8d-9vr8-4feh
37
vulnerability VCID-mcbu-b45m-k3ck
38
vulnerability VCID-njyy-ywer-x7bf
39
vulnerability VCID-pu6f-xhvm-q3du
40
vulnerability VCID-pybp-gfy8-2qcr
41
vulnerability VCID-pypb-cezm-rkb2
42
vulnerability VCID-q84t-8dac-93dm
43
vulnerability VCID-qehu-58hj-67gn
44
vulnerability VCID-qmpd-946c-gqbc
45
vulnerability VCID-qr9h-6dg8-gkh3
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-u5wv-47m4-8yd6
51
vulnerability VCID-x9ns-34nt-gfer
52
vulnerability VCID-xh7u-8ze6-cqhk
53
vulnerability VCID-y7az-a4um-jqff
54
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.14
aliases CVE-2020-17526, GHSA-7mx5-x372-xh87, PYSEC-2020-22
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-trd4-8vc9-ufab
62
url VCID-u5wv-47m4-8yd6
vulnerability_id VCID-u5wv-47m4-8yd6
summary Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/43040
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/43040
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml
3
reference_url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
reference_id
reference_type
scores
url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
4
reference_url http://www.openwall.com/lists/oss-security/2024/11/15/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/11/15/1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45784
reference_id CVE-2024-45784
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-45784
6
reference_url https://github.com/advisories/GHSA-46c3-5xc5-wwhv
reference_id GHSA-46c3-5xc5-wwhv
reference_type
scores
url https://github.com/advisories/GHSA-46c3-5xc5-wwhv
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.3
purl pkg:pypi/apache-airflow@2.10.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5jyk-dgtu-zfhd
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-djdy-z9r3-s3a2
6
vulnerability VCID-ej1r-mp6n-gudd
7
vulnerability VCID-pu6f-xhvm-q3du
8
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3
aliases CVE-2024-45784, GHSA-46c3-5xc5-wwhv, PYSEC-2024-182
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6
63
url VCID-x9ns-34nt-gfer
vulnerability_id VCID-x9ns-34nt-gfer
summary 
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3
2
reference_url https://github.com/apache/airflow/pull/39550
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/39550
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml
4
reference_url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
5
reference_url http://www.openwall.com/lists/oss-security/2024/06/13/1
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2024/06/13/1
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25142
reference_id CVE-2024-25142
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-25142
7
reference_url https://github.com/advisories/GHSA-9xpj-62mm-24h2
reference_id GHSA-9xpj-62mm-24h2
reference_type
scores
url https://github.com/advisories/GHSA-9xpj-62mm-24h2
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.2
purl pkg:pypi/apache-airflow@2.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-mcbu-b45m-k3ck
10
vulnerability VCID-pu6f-xhvm-q3du
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2
aliases CVE-2024-25142, GHSA-9xpj-62mm-24h2, PYSEC-2024-195
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer
64
url VCID-xh7u-8ze6-cqhk
vulnerability_id VCID-xh7u-8ze6-cqhk
summary Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315
2
reference_url https://github.com/apache/airflow/pull/32060
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/32060
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml
4
reference_url https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4
reference_id
reference_type
scores
url https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36543
reference_id CVE-2023-36543
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-36543
6
reference_url https://github.com/advisories/GHSA-3h4m-m55v-gx4m
reference_id GHSA-3h4m-m55v-gx4m
reference_type
scores
url https://github.com/advisories/GHSA-3h4m-m55v-gx4m
fixed_packages
0
url pkg:pypi/apache-airflow@2.6.3
purl pkg:pypi/apache-airflow@2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4ga6-4111-dyc9
4
vulnerability VCID-56eq-awhd-d3fr
5
vulnerability VCID-5cpd-kjpb-ekhv
6
vulnerability VCID-5jyk-dgtu-zfhd
7
vulnerability VCID-5zmy-2ape-7qfa
8
vulnerability VCID-6vg9-hu9u-q7c3
9
vulnerability VCID-835a-arqz-g7h7
10
vulnerability VCID-91n6-evww-zybp
11
vulnerability VCID-98yf-mvnw-d3b4
12
vulnerability VCID-a64u-53x6-dfge
13
vulnerability VCID-amac-hqnj-xfgz
14
vulnerability VCID-cahz-4dy7-bbe9
15
vulnerability VCID-csqr-pdvv-gfbh
16
vulnerability VCID-dh4r-77xc-cbas
17
vulnerability VCID-djdy-z9r3-s3a2
18
vulnerability VCID-ej1r-mp6n-gudd
19
vulnerability VCID-fbjk-2uvy-mqfc
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pu6f-xhvm-q3du
24
vulnerability VCID-pypb-cezm-rkb2
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3
aliases CVE-2023-36543, GHSA-3h4m-m55v-gx4m, PYSEC-2023-106
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xh7u-8ze6-cqhk
65
url VCID-y7az-a4um-jqff
vulnerability_id VCID-y7az-a4um-jqff
summary The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.
references
0
reference_url https://github.com/advisories/GHSA-fh37-cx83-q542
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-fh37-cx83-q542
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/21cedff205e7d62675949fda2aa4616d77232b76
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/21cedff205e7d62675949fda2aa4616d77232b76
3
reference_url https://github.com/apache/airflow/commit/24a54242d56058846c7978130b3f37ca045d5142
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/24a54242d56058846c7978130b3f37ca045d5142
4
reference_url https://github.com/apache/airflow/commit/93957e917ff4cfb0be11aef088bd9527cf728a04
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/93957e917ff4cfb0be11aef088bd9527cf728a04
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-3.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-3.yaml
6
reference_url https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E
9
reference_url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
10
reference_url http://www.openwall.com/lists/oss-security/2021/02/17/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2021/02/17/2
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-26697
reference_id CVE-2021-26697
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-26697
fixed_packages
0
url pkg:pypi/apache-airflow@2.0.1rc1
purl pkg:pypi/apache-airflow@2.0.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-9tq4-v733-hug3
19
vulnerability VCID-amac-hqnj-xfgz
20
vulnerability VCID-b3w3-h9cm-ufgm
21
vulnerability VCID-cahz-4dy7-bbe9
22
vulnerability VCID-dh4r-77xc-cbas
23
vulnerability VCID-djdy-z9r3-s3a2
24
vulnerability VCID-due7-n14c-akfx
25
vulnerability VCID-ej1r-mp6n-gudd
26
vulnerability VCID-ez45-qkb4-xkba
27
vulnerability VCID-fbjk-2uvy-mqfc
28
vulnerability VCID-gn6e-a1yp-g7dw
29
vulnerability VCID-gz6e-b7dz-5qdf
30
vulnerability VCID-h6sp-398p-pbeg
31
vulnerability VCID-hah6-e5fc-juc5
32
vulnerability VCID-hy75-nfg7-zfae
33
vulnerability VCID-j86y-n37n-n7ft
34
vulnerability VCID-kh46-xrgm-9udx
35
vulnerability VCID-ks8d-9vr8-4feh
36
vulnerability VCID-mcbu-b45m-k3ck
37
vulnerability VCID-njyy-ywer-x7bf
38
vulnerability VCID-pu6f-xhvm-q3du
39
vulnerability VCID-pybp-gfy8-2qcr
40
vulnerability VCID-pypb-cezm-rkb2
41
vulnerability VCID-q84t-8dac-93dm
42
vulnerability VCID-qehu-58hj-67gn
43
vulnerability VCID-qmpd-946c-gqbc
44
vulnerability VCID-qr9h-6dg8-gkh3
45
vulnerability VCID-rkeh-vuxg-ubgn
46
vulnerability VCID-ryct-uaw3-fyfc
47
vulnerability VCID-suwt-h1ze-mydu
48
vulnerability VCID-t3ap-dzfp-1bd6
49
vulnerability VCID-t476-g5u5-1yeh
50
vulnerability VCID-u5wv-47m4-8yd6
51
vulnerability VCID-x9ns-34nt-gfer
52
vulnerability VCID-xh7u-8ze6-cqhk
53
vulnerability VCID-y7az-a4um-jqff
54
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1rc1
1
url pkg:pypi/apache-airflow@2.0.1
purl pkg:pypi/apache-airflow@2.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-djdy-z9r3-s3a2
23
vulnerability VCID-due7-n14c-akfx
24
vulnerability VCID-ej1r-mp6n-gudd
25
vulnerability VCID-ez45-qkb4-xkba
26
vulnerability VCID-fbjk-2uvy-mqfc
27
vulnerability VCID-gn6e-a1yp-g7dw
28
vulnerability VCID-gz6e-b7dz-5qdf
29
vulnerability VCID-h6sp-398p-pbeg
30
vulnerability VCID-hah6-e5fc-juc5
31
vulnerability VCID-hy75-nfg7-zfae
32
vulnerability VCID-j86y-n37n-n7ft
33
vulnerability VCID-kh46-xrgm-9udx
34
vulnerability VCID-ks8d-9vr8-4feh
35
vulnerability VCID-mcbu-b45m-k3ck
36
vulnerability VCID-njyy-ywer-x7bf
37
vulnerability VCID-pu6f-xhvm-q3du
38
vulnerability VCID-pybp-gfy8-2qcr
39
vulnerability VCID-pypb-cezm-rkb2
40
vulnerability VCID-q84t-8dac-93dm
41
vulnerability VCID-qehu-58hj-67gn
42
vulnerability VCID-qmpd-946c-gqbc
43
vulnerability VCID-qr9h-6dg8-gkh3
44
vulnerability VCID-rkeh-vuxg-ubgn
45
vulnerability VCID-ryct-uaw3-fyfc
46
vulnerability VCID-suwt-h1ze-mydu
47
vulnerability VCID-t3ap-dzfp-1bd6
48
vulnerability VCID-t476-g5u5-1yeh
49
vulnerability VCID-u5wv-47m4-8yd6
50
vulnerability VCID-x9ns-34nt-gfer
51
vulnerability VCID-xh7u-8ze6-cqhk
52
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1
aliases CVE-2021-26697, GHSA-fh37-cx83-q542, PYSEC-2021-3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y7az-a4um-jqff
66
url VCID-ydhm-m8vh-mber
vulnerability_id VCID-ydhm-m8vh-mber
summary Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58
2
reference_url https://github.com/apache/airflow/pull/40475
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://github.com/apache/airflow/pull/40475
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml
4
reference_url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
5
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/6
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url http://www.openwall.com/lists/oss-security/2024/07/16/6
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39863
reference_id CVE-2024-39863
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-39863
7
reference_url https://github.com/advisories/GHSA-j482-47xf-p25c
reference_id GHSA-j482-47xf-p25c
reference_type
scores
url https://github.com/advisories/GHSA-j482-47xf-p25c
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.3
purl pkg:pypi/apache-airflow@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-dh4r-77xc-cbas
6
vulnerability VCID-djdy-z9r3-s3a2
7
vulnerability VCID-ej1r-mp6n-gudd
8
vulnerability VCID-mcbu-b45m-k3ck
9
vulnerability VCID-pu6f-xhvm-q3du
10
vulnerability VCID-t3ap-dzfp-1bd6
11
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3
aliases CVE-2024-39863, GHSA-j482-47xf-p25c, PYSEC-2024-189
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber
67
url VCID-z4w8-3mr1-63ed
vulnerability_id VCID-z4w8-3mr1-63ed
summary An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
references
0
reference_url https://github.com/advisories/GHSA-976r-qfjj-c24w
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-976r-qfjj-c24w
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/commit/1dda6fdde7c6bcaf0d6534786beeeba868006dd2
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/1dda6fdde7c6bcaf0d6534786beeeba868006dd2
3
reference_url https://github.com/apache/airflow/commit/afa4b11fddfdbadb048f742cf66d5c21c675a5c8
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/afa4b11fddfdbadb048f742cf66d5c21c675a5c8
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-15.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-15.yaml
5
reference_url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
6
reference_url https://web.archive.org/web/20220427031325/https://issues.apache.org/jira/browse/AIRFLOW-6351
reference_id
reference_type
scores
url https://web.archive.org/web/20220427031325/https://issues.apache.org/jira/browse/AIRFLOW-6351
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-11981
reference_id CVE-2020-11981
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-11981
fixed_packages
0
url pkg:pypi/apache-airflow@1.10.11rc1
purl pkg:pypi/apache-airflow@1.10.11rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2fnz-jqpe-nuau
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-2ysx-9hz5-fyfm
4
vulnerability VCID-3h3z-bfsc-jqax
5
vulnerability VCID-4ga6-4111-dyc9
6
vulnerability VCID-4xax-xw67-2qfv
7
vulnerability VCID-56eq-awhd-d3fr
8
vulnerability VCID-5cpd-kjpb-ekhv
9
vulnerability VCID-5jyk-dgtu-zfhd
10
vulnerability VCID-5yxa-ubfq-fqdx
11
vulnerability VCID-5zmy-2ape-7qfa
12
vulnerability VCID-6gjt-zsju-47a3
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-82kk-s7d6-f7he
16
vulnerability VCID-835a-arqz-g7h7
17
vulnerability VCID-91n6-evww-zybp
18
vulnerability VCID-98yf-mvnw-d3b4
19
vulnerability VCID-9jm4-t1je-vqhm
20
vulnerability VCID-9tq4-v733-hug3
21
vulnerability VCID-amac-hqnj-xfgz
22
vulnerability VCID-b3w3-h9cm-ufgm
23
vulnerability VCID-cahz-4dy7-bbe9
24
vulnerability VCID-dh4r-77xc-cbas
25
vulnerability VCID-djdy-z9r3-s3a2
26
vulnerability VCID-due7-n14c-akfx
27
vulnerability VCID-ej1r-mp6n-gudd
28
vulnerability VCID-ez45-qkb4-xkba
29
vulnerability VCID-fbjk-2uvy-mqfc
30
vulnerability VCID-frbp-mhhr-8bdt
31
vulnerability VCID-gn6e-a1yp-g7dw
32
vulnerability VCID-gz6e-b7dz-5qdf
33
vulnerability VCID-h6sp-398p-pbeg
34
vulnerability VCID-hah6-e5fc-juc5
35
vulnerability VCID-hy75-nfg7-zfae
36
vulnerability VCID-j86y-n37n-n7ft
37
vulnerability VCID-kh46-xrgm-9udx
38
vulnerability VCID-ks8d-9vr8-4feh
39
vulnerability VCID-mcbu-b45m-k3ck
40
vulnerability VCID-njyy-ywer-x7bf
41
vulnerability VCID-pe8h-9hgu-j3hx
42
vulnerability VCID-pu6f-xhvm-q3du
43
vulnerability VCID-pybp-gfy8-2qcr
44
vulnerability VCID-pypb-cezm-rkb2
45
vulnerability VCID-q84t-8dac-93dm
46
vulnerability VCID-qehu-58hj-67gn
47
vulnerability VCID-qmpd-946c-gqbc
48
vulnerability VCID-qr9h-6dg8-gkh3
49
vulnerability VCID-quaj-w9r3-qya8
50
vulnerability VCID-reu2-2xcq-fqa4
51
vulnerability VCID-ryct-uaw3-fyfc
52
vulnerability VCID-suwt-h1ze-mydu
53
vulnerability VCID-t3ap-dzfp-1bd6
54
vulnerability VCID-t476-g5u5-1yeh
55
vulnerability VCID-trd4-8vc9-ufab
56
vulnerability VCID-u5wv-47m4-8yd6
57
vulnerability VCID-x9ns-34nt-gfer
58
vulnerability VCID-xh7u-8ze6-cqhk
59
vulnerability VCID-y7az-a4um-jqff
60
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1
aliases CVE-2020-11981, GHSA-976r-qfjj-c24w, PYSEC-2020-15
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z4w8-3mr1-63ed
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.3b2