Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/17767?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/17767?format=api", "purl": "pkg:pypi/apache-airflow@1.10.7rc2", "type": "pypi", "namespace": "", "name": "apache-airflow", "version": "1.10.7rc2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.2.0", "latest_non_vulnerable_version": "3.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36041?format=api", "vulnerability_id": "VCID-2fnz-jqpe-nuau", "summary": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh" }, { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml" }, { "reference_url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45229", "reference_id": "CVE-2021-45229", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45229" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26750?format=api", "purl": "pkg:pypi/apache-airflow@2.2.4rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4rc1" } ], "aliases": [ "CVE-2021-45229", "GHSA-65xw-pcqw-hjrh", "PYSEC-2022-29" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2fnz-jqpe-nuau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37294?format=api", "vulnerability_id": "VCID-2xr2-w3hk-auck", "summary": "Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/61641", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/61641" }, { "reference_url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-25917", "PYSEC-2026-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36291?format=api", "vulnerability_id": "VCID-2ysx-9hz5-fyfm", "summary": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/27143", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/27143" }, { "reference_url": "https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29670?format=api", "purl": "pkg:pypi/apache-airflow@2.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2" } ], "aliases": [ "CVE-2022-43985", "PYSEC-2022-42971" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ysx-9hz5-fyfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36650?format=api", "vulnerability_id": "VCID-3h3z-bfsc-jqax", "summary": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.\nThis flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.\nUsers are recommended to upgrade to 2.8.0, which fixes this issue", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929" }, { "reference_url": "https://github.com/apache/airflow/pull/33932", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/apache/airflow/pull/33932" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml" }, { "reference_url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/21/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/21/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50783", "reference_id": "CVE-2023-50783", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50783" }, { "reference_url": "https://github.com/advisories/GHSA-5938-79hg-xh3q", "reference_id": "GHSA-5938-79hg-xh3q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5938-79hg-xh3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32013?format=api", "purl": "pkg:pypi/apache-airflow@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0" } ], "aliases": [ "CVE-2023-50783", "GHSA-5938-79hg-xh3q", "PYSEC-2023-267" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3h3z-bfsc-jqax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36700?format=api", "vulnerability_id": "VCID-4ga6-4111-dyc9", "summary": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1" }, { "reference_url": "https://github.com/apache/airflow/pull/36257", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/36257" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml" }, { "reference_url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50944", "reference_id": "CVE-2023-50944", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50944" }, { "reference_url": "https://github.com/advisories/GHSA-vm5m-qmrx-fw8w", "reference_id": "GHSA-vm5m-qmrx-fw8w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vm5m-qmrx-fw8w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32014?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32015?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1" } ], "aliases": [ "CVE-2023-50944", "GHSA-vm5m-qmrx-fw8w", "PYSEC-2024-14" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36311?format=api", "vulnerability_id": "VCID-4xax-xw67-2qfv", "summary": "A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/22754", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/22754" }, { "reference_url": "https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/11/14/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/11/14/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29109?format=api", "purl": "pkg:pypi/apache-airflow@2.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4bps-htex-tqgk" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5nys-mzgw-4khd" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6pk8-baws-e3dt" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.1" } ], "aliases": [ "CVE-2022-27949", "PYSEC-2022-42981" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4xax-xw67-2qfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35588?format=api", "vulnerability_id": "VCID-4xdb-1kww-sfdh", "summary": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-rvmq-4x66-q7j3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rvmq-4x66-q7j3" }, { "reference_url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17780?format=api", "purl": "pkg:pypi/apache-airflow@1.10.11rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-82kk-s7d6-f7he" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9jm4-t1je-vqhm" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pe8h-9hgu-j3hx" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-quaj-w9r3-qya8" }, { "vulnerability": "VCID-reu2-2xcq-fqa4" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1" } ], "aliases": [ "CVE-2020-11978", "GHSA-rvmq-4x66-q7j3", "PYSEC-2020-14" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4xdb-1kww-sfdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36861?format=api", "vulnerability_id": "VCID-56eq-awhd-d3fr", "summary": "Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. \nUsers are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/41672", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/41672" }, { "reference_url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/09/06/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/09/06/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32042?format=api", "purl": "pkg:pypi/apache-airflow@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1" } ], "aliases": [ "CVE-2024-45034", "PYSEC-2024-212" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36572?format=api", "vulnerability_id": "VCID-5cpd-kjpb-ekhv", "summary": "Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/34315", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/34315" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml" }, { "reference_url": "https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42663", "reference_id": "CVE-2023-42663", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42663" }, { "reference_url": "https://github.com/advisories/GHSA-32wr-qqw6-5mfp", "reference_id": "GHSA-32wr-qqw6-5mfp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-32wr-qqw6-5mfp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42663", "GHSA-32wr-qqw6-5mfp", "PYSEC-2023-197" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5cpd-kjpb-ekhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36290?format=api", "vulnerability_id": "VCID-5yxa-ubfq-fqdx", "summary": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/27143", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/27143" }, { "reference_url": "https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29670?format=api", "purl": "pkg:pypi/apache-airflow@2.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2" } ], "aliases": [ "CVE-2022-43982", "PYSEC-2022-42970" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5yxa-ubfq-fqdx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36544?format=api", "vulnerability_id": "VCID-5zmy-2ape-7qfa", "summary": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.\n\nUsers are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e" }, { "reference_url": "https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148" }, { "reference_url": "https://github.com/apache/airflow/pull/33512", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33512" }, { "reference_url": "https://github.com/apache/airflow/pull/33516", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33516" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml" }, { "reference_url": "https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40712", "reference_id": "CVE-2023-40712", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40712" }, { "reference_url": "https://github.com/advisories/GHSA-mjqh-v5f2-g2mw", "reference_id": "GHSA-mjqh-v5f2-g2mw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mjqh-v5f2-g2mw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32003?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1" } ], "aliases": [ "CVE-2023-40712", "GHSA-mjqh-v5f2-g2mw", "PYSEC-2023-171" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5zmy-2ape-7qfa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36517?format=api", "vulnerability_id": "VCID-6gjt-zsju-47a3", "summary": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.\n\nApache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.\nThis issue affects Apache Airflow Drill Provider: before 2.4.3.\nIt is recommended to upgrade to a version that is not affected.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110" }, { "reference_url": "https://github.com/apache/airflow/pull/33074", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33074" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml" }, { "reference_url": "https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/08/11/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2023/08/11/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/08/11/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/08/11/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39553", "reference_id": "CVE-2023-39553", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39553" }, { "reference_url": "https://github.com/advisories/GHSA-mq4v-6vg4-796c", "reference_id": "GHSA-mq4v-6vg4-796c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mq4v-6vg4-796c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29765?format=api", "purl": "pkg:pypi/apache-airflow@2.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3" } ], "aliases": [ "CVE-2023-39553", "GHSA-mq4v-6vg4-796c", "PYSEC-2023-136" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6gjt-zsju-47a3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36744?format=api", "vulnerability_id": "VCID-6vg9-hu9u-q7c3", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b" }, { "reference_url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9" }, { "reference_url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7" }, { "reference_url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a" }, { "reference_url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326" }, { "reference_url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446" }, { "reference_url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24" }, { "reference_url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2" }, { "reference_url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4" }, { "reference_url": "https://github.com/apache/airflow/pull/37290", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37290" }, { "reference_url": "https://github.com/apache/airflow/pull/37468", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37468" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml" }, { "reference_url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/29/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/02/29/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906", "reference_id": "CVE-2024-27906", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906" }, { "reference_url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2", "reference_id": "GHSA-6v6w-h8m6-7mv2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-27906", "GHSA-6v6w-h8m6-7mv2", "PYSEC-2024-245" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36486?format=api", "vulnerability_id": "VCID-71hr-1ews-9qa6", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db" }, { "reference_url": "https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352" }, { "reference_url": "https://github.com/apache/airflow/pull/32014", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32014" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml" }, { "reference_url": "https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35908", "reference_id": "CVE-2023-35908", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35908" }, { "reference_url": "https://github.com/advisories/GHSA-2h84-3crq-vgfj", "reference_id": "GHSA-2h84-3crq-vgfj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2h84-3crq-vgfj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-35908", "GHSA-2h84-3crq-vgfj", "PYSEC-2023-119" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-71hr-1ews-9qa6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35692?format=api", "vulnerability_id": "VCID-82kk-s7d6-f7he", "summary": "In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-cvcq-gmc3-q6m8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cvcq-gmc3-q6m8" }, { "reference_url": "https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19300?format=api", "purl": "pkg:pypi/apache-airflow@1.10.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13" } ], "aliases": [ "CVE-2020-17511", "GHSA-cvcq-gmc3-q6m8", "PYSEC-2020-262" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-82kk-s7d6-f7he" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36745?format=api", "vulnerability_id": "VCID-835a-arqz-g7h7", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa" }, { "reference_url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99" }, { "reference_url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e" }, { "reference_url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d" }, { "reference_url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f" }, { "reference_url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c" }, { "reference_url": "https://github.com/apache/airflow/pull/37501", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37501" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml" }, { "reference_url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280", "reference_id": "CVE-2024-26280", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280" }, { "reference_url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459", "reference_id": "GHSA-6xwf-xvf3-v459", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-26280", "GHSA-6xwf-xvf3-v459", "PYSEC-2024-42" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37295?format=api", "vulnerability_id": "VCID-91n6-evww-zybp", "summary": "In case of SQL errors, exception/stack trace of errors was exposed in API even if \"api/expose_stack_traces\" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/63028", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/63028" }, { "reference_url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-30912", "PYSEC-2026-18" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36607?format=api", "vulnerability_id": "VCID-98yf-mvnw-d3b4", "summary": "Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome.\nUsers of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3" }, { "reference_url": "https://github.com/apache/airflow/pull/34939", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/34939" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml" }, { "reference_url": "https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42781", "reference_id": "CVE-2023-42781", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42781" }, { "reference_url": "https://github.com/advisories/GHSA-r7x6-xfcm-3mxv", "reference_id": "GHSA-r7x6-xfcm-3mxv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r7x6-xfcm-3mxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32007?format=api", "purl": "pkg:pypi/apache-airflow@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3" } ], "aliases": [ "CVE-2023-42781", "GHSA-r7x6-xfcm-3mxv", "PYSEC-2023-231" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-98yf-mvnw-d3b4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35693?format=api", "vulnerability_id": "VCID-9jm4-t1je-vqhm", "summary": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-6r3p-fcvm-xh7c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6r3p-fcvm-xh7c" }, { "reference_url": "https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19300?format=api", "purl": "pkg:pypi/apache-airflow@1.10.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13" } ], "aliases": [ "CVE-2020-17513", "GHSA-6r3p-fcvm-xh7c", "PYSEC-2020-20" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jm4-t1je-vqhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35725?format=api", "vulnerability_id": "VCID-9tq4-v733-hug3", "summary": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-ffw3-6mp6-jmvj", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ffw3-6mp6-jmvj" }, { "reference_url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/02/17/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19941?format=api", "purl": "pkg:pypi/apache-airflow@2.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-rkeh-vuxg-ubgn" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1" } ], "aliases": [ "CVE-2021-26559", "GHSA-ffw3-6mp6-jmvj", "PYSEC-2021-2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9tq4-v733-hug3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36699?format=api", "vulnerability_id": "VCID-amac-hqnj-xfgz", "summary": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462" }, { "reference_url": "https://github.com/apache/airflow/pull/36255", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/36255" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml" }, { "reference_url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50943", "reference_id": "CVE-2023-50943", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50943" }, { "reference_url": "https://github.com/advisories/GHSA-c3c6-f2ww-xfr2", "reference_id": "GHSA-c3c6-f2ww-xfr2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c3c6-f2ww-xfr2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32014?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32015?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1" } ], "aliases": [ "CVE-2023-50943", "GHSA-c3c6-f2ww-xfr2", "PYSEC-2024-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36510?format=api", "vulnerability_id": "VCID-b3w3-h9cm-ufgm", "summary": "Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The \"Run Task\" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The \"Run Task\" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0\n\nThis issue affects Apache Airflow: before 2.6.0.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8" }, { "reference_url": "https://github.com/apache/airflow/pull/29706", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/29706" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml" }, { "reference_url": "https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39508", "reference_id": "CVE-2023-39508", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39508" }, { "reference_url": "https://github.com/advisories/GHSA-269x-pg5c-5xgm", "reference_id": "GHSA-269x-pg5c-5xgm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-269x-pg5c-5xgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31981?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/31987?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0" } ], "aliases": [ "CVE-2023-39508", "GHSA-269x-pg5c-5xgm", "PYSEC-2023-134" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3w3-h9cm-ufgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35592?format=api", "vulnerability_id": "VCID-bwd5-3jt5-pyb8", "summary": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-q4p3-qw5c-mhpc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q4p3-qw5c-mhpc" }, { "reference_url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17780?format=api", "purl": "pkg:pypi/apache-airflow@1.10.11rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-82kk-s7d6-f7he" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9jm4-t1je-vqhm" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pe8h-9hgu-j3hx" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-quaj-w9r3-qya8" }, { "vulnerability": "VCID-reu2-2xcq-fqa4" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1" } ], "aliases": [ "CVE-2020-11983", "GHSA-q4p3-qw5c-mhpc", "PYSEC-2020-17" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bwd5-3jt5-pyb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36526?format=api", "vulnerability_id": "VCID-cahz-4dy7-bbe9", "summary": "The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).\n\nWith this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.\n\nUsers of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6" }, { "reference_url": "https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b" }, { "reference_url": "https://github.com/apache/airflow/pull/33347", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/33347" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml" }, { "reference_url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/08/23/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.openwall.com/lists/oss-security/2023/08/23/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40273", "reference_id": "CVE-2023-40273", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40273" }, { "reference_url": "https://github.com/advisories/GHSA-pm87-24wq-r8w9", "reference_id": "GHSA-pm87-24wq-r8w9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pm87-24wq-r8w9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31999?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/32001?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1" } ], "aliases": [ "CVE-2023-40273", "GHSA-pm87-24wq-r8w9", "PYSEC-2023-158" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cahz-4dy7-bbe9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36389?format=api", "vulnerability_id": "VCID-dh4r-77xc-cbas", "summary": "Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.\n\nThis issue affects Apache Airflow Sqoop Provider versions before 3.1.1.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/29500", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/29500" }, { "reference_url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693", "reference_id": "CVE-2023-25693", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693" }, { "reference_url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf", "reference_id": "GHSA-j69x-v4wc-3fpf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32098?format=api", "purl": "pkg:pypi/apache-airflow@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-ezmu-8g1y-e3hz" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-snqz-3f8t-syhd" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1" } ], "aliases": [ "CVE-2023-25693", "GHSA-j69x-v4wc-3fpf", "PYSEC-2023-314" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35836?format=api", "vulnerability_id": "VCID-due7-n14c-akfx", "summary": "If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-m6h2-jx9v-58w6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m6h2-jx9v-58w6" }, { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/27265516d2b897585f5019ecd820cfe5471fd351", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/27265516d2b897585f5019ecd820cfe5471fd351" }, { "reference_url": "https://github.com/apache/airflow/commit/7a5bb88ad78d600fbb1676a55752597928115bd8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/7a5bb88ad78d600fbb1676a55752597928115bd8" }, { "reference_url": "https://github.com/apache/airflow/commit/d772f38f843b9add5319a01cf51a844145b01f63", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d772f38f843b9add5319a01cf51a844145b01f63" }, { "reference_url": "https://github.com/apache/airflow/compare/2.1.1...2.1.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/compare/2.1.1...2.1.2" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-122.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-122.yaml" }, { "reference_url": "https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35936", "reference_id": "CVE-2021-35936", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35936" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23311?format=api", "purl": "pkg:pypi/apache-airflow@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-rkeh-vuxg-ubgn" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.1.2" } ], "aliases": [ "CVE-2021-35936", "GHSA-m6h2-jx9v-58w6", "PYSEC-2021-122" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-due7-n14c-akfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36484?format=api", "vulnerability_id": "VCID-ez45-qkb4-xkba", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8" }, { "reference_url": "https://github.com/apache/airflow/pull/32309", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32309" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml" }, { "reference_url": "https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46651", "reference_id": "CVE-2022-46651", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46651" }, { "reference_url": "https://github.com/advisories/GHSA-xvw9-3mhm-xjqq", "reference_id": "GHSA-xvw9-3mhm-xjqq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xvw9-3mhm-xjqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2022-46651", "GHSA-xvw9-3mhm-xjqq", "PYSEC-2023-103" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ez45-qkb4-xkba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36608?format=api", "vulnerability_id": "VCID-fbjk-2uvy-mqfc", "summary": "We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. \n\nApache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. \n\nUsers should upgrade to version 2.7.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad" }, { "reference_url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef" }, { "reference_url": "https://github.com/apache/airflow/pull/33413", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33413" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml" }, { "reference_url": "https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47037", "reference_id": "CVE-2023-47037", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47037" }, { "reference_url": "https://github.com/advisories/GHSA-hm9r-7f84-25c9", "reference_id": "GHSA-hm9r-7f84-25c9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hm9r-7f84-25c9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32007?format=api", "purl": "pkg:pypi/apache-airflow@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3" } ], "aliases": [ "CVE-2023-47037", "GHSA-hm9r-7f84-25c9", "PYSEC-2023-232" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fbjk-2uvy-mqfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37165?format=api", "vulnerability_id": "VCID-frbp-mhhr-8bdt", "summary": "Edge3 Worker RPC RCE on Airflow 2.\n\nThis issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2.\n\n\n\nThe Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do.\n\nIf you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2.\n\nIf you used Edge Provider in Airflow 3, you are not affected.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/59143", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/59143" }, { "reference_url": "https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/12/16/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2025/12/16/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67895", "reference_id": "CVE-2025-67895", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67895" }, { "reference_url": "https://github.com/advisories/GHSA-66h8-3g48-6hx8", "reference_id": "GHSA-66h8-3g48-6hx8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-66h8-3g48-6hx8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19938?format=api", "purl": "pkg:pypi/apache-airflow@2.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-rkeh-vuxg-ubgn" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.0" } ], "aliases": [ "CVE-2025-67895", "GHSA-66h8-3g48-6hx8", "PYSEC-2025-87" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-frbp-mhhr-8bdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35967?format=api", "vulnerability_id": "VCID-gn6e-a1yp-g7dw", "summary": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-4jh2-3c85-q67h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4jh2-3c85-q67h" }, { "reference_url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45230", "reference_id": "CVE-2021-45230", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45230" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19932?format=api", "purl": "pkg:pypi/apache-airflow@2.0.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/26396?format=api", "purl": "pkg:pypi/apache-airflow@2.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.0" } ], "aliases": [ "CVE-2021-45230", "GHSA-4jh2-3c85-q67h", "PYSEC-2022-11" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gn6e-a1yp-g7dw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36180?format=api", "vulnerability_id": "VCID-gz6e-b7dz-5qdf", "summary": "In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-q8h9-pqcx-59hw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q8h9-pqcx-59hw" }, { "reference_url": "https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/09/02/12", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/09/02/12" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/09/02/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/09/02/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29118?format=api", "purl": "pkg:pypi/apache-airflow@2.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4bps-htex-tqgk" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6pk8-baws-e3dt" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.4" } ], "aliases": [ "CVE-2022-38170", "GHSA-q8h9-pqcx-59hw", "PYSEC-2022-261" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gz6e-b7dz-5qdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36487?format=api", "vulnerability_id": "VCID-h6sp-398p-pbeg", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02" }, { "reference_url": "https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3" }, { "reference_url": "https://github.com/apache/airflow/pull/32293", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32293" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml" }, { "reference_url": "https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22887", "reference_id": "CVE-2023-22887", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22887" }, { "reference_url": "https://github.com/advisories/GHSA-ggwr-4vr8-g7wv", "reference_id": "GHSA-ggwr-4vr8-g7wv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggwr-4vr8-g7wv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-22887", "GHSA-ggwr-4vr8-g7wv", "PYSEC-2023-104" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h6sp-398p-pbeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36402?format=api", "vulnerability_id": "VCID-hah6-e5fc-juc5", "summary": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951" }, { "reference_url": "https://github.com/apache/airflow/pull/29501", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/29501" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml" }, { "reference_url": "https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25695", "reference_id": "CVE-2023-25695", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25695" }, { "reference_url": "https://github.com/advisories/GHSA-h6g5-wqqr-3mw3", "reference_id": "GHSA-h6g5-wqqr-3mw3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h6g5-wqqr-3mw3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31975?format=api", "purl": "pkg:pypi/apache-airflow@2.5.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/31977?format=api", "purl": "pkg:pypi/apache-airflow@2.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2" } ], "aliases": [ "CVE-2023-25695", "GHSA-h6g5-wqqr-3mw3", "PYSEC-2023-2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hah6-e5fc-juc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36488?format=api", "vulnerability_id": "VCID-hy75-nfg7-zfae", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02" }, { "reference_url": "https://github.com/apache/airflow/pull/32293", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32293" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml" }, { "reference_url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22888", "reference_id": "CVE-2023-22888", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22888" }, { "reference_url": "https://github.com/advisories/GHSA-5946-8p38-vffp", "reference_id": "GHSA-5946-8p38-vffp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5946-8p38-vffp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-22888", "GHSA-5946-8p38-vffp", "PYSEC-2023-105" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hy75-nfg7-zfae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36651?format=api", "vulnerability_id": "VCID-j86y-n37n-n7ft", "summary": "Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nThis is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 \n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c" }, { "reference_url": "https://github.com/apache/airflow/pull/34366", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/34366" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml" }, { "reference_url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/21/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/21/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48291", "reference_id": "CVE-2023-48291", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48291" }, { "reference_url": "https://github.com/advisories/GHSA-8f57-wcmg-4jmh", "reference_id": "GHSA-8f57-wcmg-4jmh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8f57-wcmg-4jmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32013?format=api", "purl": "pkg:pypi/apache-airflow@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0" } ], "aliases": [ "CVE-2023-48291", "GHSA-8f57-wcmg-4jmh", "PYSEC-2023-265" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j86y-n37n-n7ft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35589?format=api", "vulnerability_id": "VCID-jq98-gxbc-pydt", "summary": "An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the \"classic\" UI.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-j38c-25fj-mr84", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j38c-25fj-mr84" }, { "reference_url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17780?format=api", "purl": "pkg:pypi/apache-airflow@1.10.11rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-82kk-s7d6-f7he" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9jm4-t1je-vqhm" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pe8h-9hgu-j3hx" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-quaj-w9r3-qya8" }, { "vulnerability": "VCID-reu2-2xcq-fqa4" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1" } ], "aliases": [ "CVE-2020-9485", "GHSA-j38c-25fj-mr84", "PYSEC-2020-23" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jq98-gxbc-pydt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36258?format=api", "vulnerability_id": "VCID-kh46-xrgm-9udx", "summary": "In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/26635", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/26635" }, { "reference_url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29467?format=api", "purl": "pkg:pypi/apache-airflow@2.4.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2rc1" } ], "aliases": [ "CVE-2022-41672", "PYSEC-2022-42983" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kh46-xrgm-9udx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35787?format=api", "vulnerability_id": "VCID-ks8d-9vr8-4feh", "summary": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336)", "references": [ { "reference_url": "https://github.com/advisories/GHSA-3xxv-p78r-4fc6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3xxv-p78r-4fc6" }, { "reference_url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19931?format=api", "purl": "pkg:pypi/apache-airflow@1.10.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/21648?format=api", "purl": "pkg:pypi/apache-airflow@2.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-rkeh-vuxg-ubgn" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.2" } ], "aliases": [ "CVE-2021-28359", "GHSA-3xxv-p78r-4fc6", "PYSEC-2021-4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ks8d-9vr8-4feh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36856?format=api", "vulnerability_id": "VCID-mcbu-b45m-k3ck", "summary": "Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.\nUsers should upgrade to 2.10.0 or later, which fixes this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/40933", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/40933" }, { "reference_url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/08/21/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/08/21/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32040?format=api", "purl": "pkg:pypi/apache-airflow@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0" } ], "aliases": [ "CVE-2024-41937", "PYSEC-2024-181" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36575?format=api", "vulnerability_id": "VCID-njyy-ywer-x7bf", "summary": "Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/34366", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/apache/airflow/pull/34366" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml" }, { "reference_url": "https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42792", "reference_id": "CVE-2023-42792", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42792" }, { "reference_url": "https://github.com/advisories/GHSA-j3w8-2p2h-mrr9", "reference_id": "GHSA-j3w8-2p2h-mrr9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j3w8-2p2h-mrr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42792", "GHSA-j3w8-2p2h-mrr9", "PYSEC-2023-203" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-njyy-ywer-x7bf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35591?format=api", "vulnerability_id": "VCID-p9we-cpy2-17h4", "summary": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-9g2w-5f3v-mfmm", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9g2w-5f3v-mfmm" }, { "reference_url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17780?format=api", "purl": "pkg:pypi/apache-airflow@1.10.11rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-82kk-s7d6-f7he" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9jm4-t1je-vqhm" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pe8h-9hgu-j3hx" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-quaj-w9r3-qya8" }, { "vulnerability": "VCID-reu2-2xcq-fqa4" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1" } ], "aliases": [ "CVE-2020-11982", "GHSA-9g2w-5f3v-mfmm", "PYSEC-2020-16" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p9we-cpy2-17h4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35691?format=api", "vulnerability_id": "VCID-pe8h-9hgu-j3hx", "summary": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-86vp-x3pr-79rx", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-86vp-x3pr-79rx" }, { "reference_url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2020/12/11/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/01/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19300?format=api", "purl": "pkg:pypi/apache-airflow@1.10.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.13" } ], "aliases": [ "CVE-2020-17515", "GHSA-86vp-x3pr-79rx", "PYSEC-2020-21" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pe8h-9hgu-j3hx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36040?format=api", "vulnerability_id": "VCID-pybp-gfy8-2qcr", "summary": "In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-3v7g-4pg3-7r6j", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3v7g-4pg3-7r6j" }, { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml" }, { "reference_url": "https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24288", "reference_id": "CVE-2022-24288", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24288" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26751?format=api", "purl": "pkg:pypi/apache-airflow@2.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5nys-mzgw-4khd" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4" } ], "aliases": [ "CVE-2022-24288", "GHSA-3v7g-4pg3-7r6j", "PYSEC-2022-30" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pybp-gfy8-2qcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36545?format=api", "vulnerability_id": "VCID-pypb-cezm-rkb2", "summary": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.\n\nUsers should upgrade to version 2.7.1 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad" }, { "reference_url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef" }, { "reference_url": "https://github.com/apache/airflow/pull/33413", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33413" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml" }, { "reference_url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611", "reference_id": "CVE-2023-40611", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611" }, { "reference_url": "https://github.com/advisories/GHSA-wpg8-mf6h-gm92", "reference_id": "GHSA-wpg8-mf6h-gm92", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wpg8-mf6h-gm92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32003?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1" } ], "aliases": [ "CVE-2023-40611", "GHSA-wpg8-mf6h-gm92", "PYSEC-2023-170" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pypb-cezm-rkb2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36310?format=api", "vulnerability_id": "VCID-q84t-8dac-93dm", "summary": "A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/25960", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/25960" }, { "reference_url": "https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/11/14/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/11/14/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29464?format=api", "purl": "pkg:pypi/apache-airflow@2.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.0" } ], "aliases": [ "CVE-2022-40127", "PYSEC-2022-42982" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q84t-8dac-93dm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36313?format=api", "vulnerability_id": "VCID-qehu-58hj-67gn", "summary": "In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/27576", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/27576" }, { "reference_url": "https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/11/15/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29765?format=api", "purl": "pkg:pypi/apache-airflow@2.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3" } ], "aliases": [ "CVE-2022-45402", "PYSEC-2022-42984" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qehu-58hj-67gn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36436?format=api", "vulnerability_id": "VCID-qmpd-946c-gqbc", "summary": "Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473" }, { "reference_url": "https://github.com/apache/airflow/pull/29506", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/29506" }, { "reference_url": "https://github.com/apache/airflow/releases/tag/2.6.0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/releases/tag/2.6.0" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml" }, { "reference_url": "https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/05/08/2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2023/05/08/2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25754", "reference_id": "CVE-2023-25754", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25754" }, { "reference_url": "https://github.com/advisories/GHSA-jchm-fm4q-c2fp", "reference_id": "GHSA-jchm-fm4q-c2fp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jchm-fm4q-c2fp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31981?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/31987?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0" } ], "aliases": [ "CVE-2023-25754", "GHSA-jchm-fm4q-c2fp", "PYSEC-2023-59" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmpd-946c-gqbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36415?format=api", "vulnerability_id": "VCID-qr9h-6dg8-gkh3", "summary": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3" }, { "reference_url": "https://github.com/apache/airflow/pull/30215", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/30215" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml" }, { "reference_url": "https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/04/07/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2023/04/07/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28707", "reference_id": "CVE-2023-28707", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28707" }, { "reference_url": "https://github.com/advisories/GHSA-85pf-r4c7-3j9r", "reference_id": "GHSA-85pf-r4c7-3j9r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-85pf-r4c7-3j9r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29112?format=api", "purl": "pkg:pypi/apache-airflow@2.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4bps-htex-tqgk" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5nys-mzgw-4khd" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6pk8-baws-e3dt" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.2" } ], "aliases": [ "CVE-2023-28707", "GHSA-85pf-r4c7-3j9r", "PYSEC-2023-3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qr9h-6dg8-gkh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35669?format=api", "vulnerability_id": "VCID-quaj-w9r3-qya8", "summary": "The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default", "references": [ { "reference_url": "https://github.com/advisories/GHSA-hhx9-p69v-cx2j", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hhx9-p69v-cx2j" }, { "reference_url": "https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18306?format=api", "purl": "pkg:pypi/apache-airflow@1.10.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-82kk-s7d6-f7he" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9jm4-t1je-vqhm" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pe8h-9hgu-j3hx" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-reu2-2xcq-fqa4" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11" } ], "aliases": [ "CVE-2020-13927", "GHSA-hhx9-p69v-cx2j", "PYSEC-2020-18" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-quaj-w9r3-qya8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35620?format=api", "vulnerability_id": "VCID-reu2-2xcq-fqa4", "summary": "In Apache Airflow < 1.10.12, the \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-4pwq-fj89-6rjc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4pwq-fj89-6rjc" }, { "reference_url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2020/12/11/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/01/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18311?format=api", "purl": "pkg:pypi/apache-airflow@1.10.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-82kk-s7d6-f7he" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9jm4-t1je-vqhm" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pe8h-9hgu-j3hx" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.12" } ], "aliases": [ "CVE-2020-13944", "GHSA-4pwq-fj89-6rjc", "PYSEC-2020-19" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-reu2-2xcq-fqa4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36527?format=api", "vulnerability_id": "VCID-ryct-uaw3-fyfc", "summary": "Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603" }, { "reference_url": "https://github.com/apache/airflow/pull/32052", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "https://github.com/apache/airflow/pull/32052" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml" }, { "reference_url": "https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/08/23/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2023/08/23/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37379", "reference_id": "CVE-2023-37379", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37379" }, { "reference_url": "https://github.com/advisories/GHSA-x2mh-8fmc-rqgh", "reference_id": "GHSA-x2mh-8fmc-rqgh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x2mh-8fmc-rqgh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31997?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32000?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-c5dx-r8gh-93fm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0" } ], "aliases": [ "CVE-2023-37379", "GHSA-x2mh-8fmc-rqgh", "PYSEC-2023-152" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ryct-uaw3-fyfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36435?format=api", "vulnerability_id": "VCID-suwt-h1ze-mydu", "summary": "Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75" }, { "reference_url": "https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e" }, { "reference_url": "https://github.com/apache/airflow/pull/30447", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/30447" }, { "reference_url": "https://github.com/apache/airflow/pull/30779", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/30779" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml" }, { "reference_url": "https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29247", "reference_id": "CVE-2023-29247", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29247" }, { "reference_url": "https://github.com/advisories/GHSA-vcf6-3wv2-5vcr", "reference_id": "GHSA-vcf6-3wv2-5vcr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vcf6-3wv2-5vcr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31987?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0" } ], "aliases": [ "CVE-2023-29247", "GHSA-vcf6-3wv2-5vcr", "PYSEC-2023-60" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-suwt-h1ze-mydu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37186?format=api", "vulnerability_id": "VCID-t3ap-dzfp-1bd6", "summary": "In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.\n\nUsers are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/59688", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/59688" }, { "reference_url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/01/15/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/01/15/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675", "reference_id": "CVE-2025-68675", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675" }, { "reference_url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h", "reference_id": "GHSA-7c2f-r6gc-h92h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32056?format=api", "purl": "pkg:pypi/apache-airflow@2.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/47095?format=api", "purl": "pkg:pypi/apache-airflow@3.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6" } ], "aliases": [ "CVE-2025-68675", "GHSA-7c2f-r6gc-h92h", "PYSEC-2026-10" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36573?format=api", "vulnerability_id": "VCID-t476-g5u5-1yeh", "summary": "Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/34355", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/34355" }, { "reference_url": "https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42780", "reference_id": "CVE-2023-42780", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42780" }, { "reference_url": "https://github.com/advisories/GHSA-cgx2-rrmr-jx43", "reference_id": "GHSA-cgx2-rrmr-jx43", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cgx2-rrmr-jx43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42780", "GHSA-cgx2-rrmr-jx43", "PYSEC-2023-202" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t476-g5u5-1yeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35695?format=api", "vulnerability_id": "VCID-trd4-8vc9-ufab", "summary": "Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-7mx5-x372-xh87", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7mx5-x372-xh87" }, { "reference_url": "https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2020/12/21/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2020/12/21/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19364?format=api", "purl": "pkg:pypi/apache-airflow@1.10.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.14" } ], "aliases": [ "CVE-2020-17526", "GHSA-7mx5-x372-xh87", "PYSEC-2020-22" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-trd4-8vc9-ufab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36933?format=api", "vulnerability_id": "VCID-u5wv-47m4-8yd6", "summary": "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/43040", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/43040" }, { "reference_url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/11/15/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/11/15/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32047?format=api", "purl": "pkg:pypi/apache-airflow@2.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3" } ], "aliases": [ "CVE-2024-45784", "PYSEC-2024-182" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36817?format=api", "vulnerability_id": "VCID-x9ns-34nt-gfer", "summary": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. \n\nAirflow did not return \"Cache-Control\" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.\n\nThis issue affects Apache Airflow: before 2.9.2.\n\nUsers are recommended to upgrade to version 2.9.2, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/39550", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/39550" }, { "reference_url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/06/13/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/06/13/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32034?format=api", "purl": "pkg:pypi/apache-airflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2" } ], "aliases": [ "CVE-2024-25142", "PYSEC-2024-195" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36485?format=api", "vulnerability_id": "VCID-xh7u-8ze6-cqhk", "summary": "Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315" }, { "reference_url": "https://github.com/apache/airflow/pull/32060", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32060" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml" }, { "reference_url": "https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36543", "reference_id": "CVE-2023-36543", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36543" }, { "reference_url": "https://github.com/advisories/GHSA-3h4m-m55v-gx4m", "reference_id": "GHSA-3h4m-m55v-gx4m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3h4m-m55v-gx4m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-36543", "GHSA-3h4m-m55v-gx4m", "PYSEC-2023-106" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xh7u-8ze6-cqhk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35724?format=api", "vulnerability_id": "VCID-y7az-a4um-jqff", "summary": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-fh37-cx83-q542", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fh37-cx83-q542" }, { "reference_url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/02/17/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19941?format=api", "purl": "pkg:pypi/apache-airflow@2.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-rkeh-vuxg-ubgn" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.1" } ], "aliases": [ "CVE-2021-26697", "GHSA-fh37-cx83-q542", "PYSEC-2021-3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y7az-a4um-jqff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36835?format=api", "vulnerability_id": "VCID-ydhm-m8vh-mber", "summary": "Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/40475", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/40475" }, { "reference_url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32036?format=api", "purl": "pkg:pypi/apache-airflow@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3" } ], "aliases": [ "CVE-2024-39863", "PYSEC-2024-189" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35590?format=api", "vulnerability_id": "VCID-z4w8-3mr1-63ed", "summary": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-976r-qfjj-c24w", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-976r-qfjj-c24w" }, { "reference_url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17780?format=api", "purl": "pkg:pypi/apache-airflow@1.10.11rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-82kk-s7d6-f7he" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9jm4-t1je-vqhm" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gn6e-a1yp-g7dw" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-ks8d-9vr8-4feh" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pe8h-9hgu-j3hx" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-quaj-w9r3-qya8" }, { "vulnerability": "VCID-reu2-2xcq-fqa4" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-trd4-8vc9-ufab" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.11rc1" } ], "aliases": [ "CVE-2020-11981", "GHSA-976r-qfjj-c24w", "PYSEC-2020-15" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z4w8-3mr1-63ed" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@1.10.7rc2" }