| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1963-1kyn-2ban |
| vulnerability_id |
VCID-1963-1kyn-2ban |
| summary |
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then.
Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.
Users should upgrade to version 2.7.3 or later which has removed the vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/33413 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:19:46Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/33413 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
http://www.openwall.com/lists/oss-security/2023/11/12/1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:19:46Z/ |
|
|
| url |
http://www.openwall.com/lists/oss-security/2023/11/12/1 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.3 |
| purl |
pkg:pypi/apache-airflow@2.7.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 2 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 3 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 4 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 5 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 6 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 7 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 8 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 9 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 10 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 11 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 12 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 13 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 14 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 15 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 16 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 17 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3 |
|
|
| aliases |
BIT-airflow-2023-47037, CVE-2023-47037, GHSA-hm9r-7f84-25c9, PYSEC-2023-232
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1963-1kyn-2ban |
|
| 1 |
| url |
VCID-1azm-hsvr-f3e8 |
| vulnerability_id |
VCID-1azm-hsvr-f3e8 |
| summary |
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.
This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.1.1 |
| purl |
pkg:pypi/apache-airflow@3.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4fjp-pn9s-tyhz |
|
| 1 |
| vulnerability |
VCID-9x6r-5m59-yyap |
|
| 2 |
| vulnerability |
VCID-bv7f-s53t-uqe4 |
|
| 3 |
| vulnerability |
VCID-g8pv-cam5-d7dj |
|
| 4 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 5 |
| vulnerability |
VCID-kmz1-dm9f-d7hj |
|
| 6 |
| vulnerability |
VCID-m3ff-jty5-3uhw |
|
| 7 |
| vulnerability |
VCID-nrc9-bdc2-dfes |
|
| 8 |
| vulnerability |
VCID-nrgz-jdnp-kyet |
|
| 9 |
| vulnerability |
VCID-pvh4-3wng-ekdq |
|
| 10 |
| vulnerability |
VCID-tj2m-5j3f-5ueq |
|
| 11 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 12 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 13 |
| vulnerability |
VCID-vwv4-7y7y-9fcj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1 |
|
|
| aliases |
CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
|
| risk_score |
4.4 |
| exploitability |
0.5 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1azm-hsvr-f3e8 |
|
| 2 |
| url |
VCID-1ptn-xvsy-d3hu |
| vulnerability_id |
VCID-1ptn-xvsy-d3hu |
| summary |
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/32060 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-04T13:45:53Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/32060 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.3 |
| purl |
pkg:pypi/apache-airflow@2.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 26 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3 |
|
|
| aliases |
BIT-airflow-2023-36543, CVE-2023-36543, GHSA-3h4m-m55v-gx4m, PYSEC-2023-106
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1ptn-xvsy-d3hu |
|
| 3 |
| url |
VCID-2q7x-bua5-37h7 |
| vulnerability_id |
VCID-2q7x-bua5-37h7 |
| summary |
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).
With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.
Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/33347 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T20:28:46Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/33347 |
|
| 5 |
|
| 6 |
| reference_url |
https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T20:28:46Z/ |
|
|
| url |
https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj |
|
| 7 |
| reference_url |
https://www.openwall.com/lists/oss-security/2023/08/23/1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T20:28:46Z/ |
|
|
| url |
https://www.openwall.com/lists/oss-security/2023/08/23/1 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.0rc2 |
| purl |
pkg:pypi/apache-airflow@2.7.0rc2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 26 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0rc2 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.7.1rc1 |
| purl |
pkg:pypi/apache-airflow@2.7.1rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 3 |
| vulnerability |
VCID-63fw-ggbk-9ycy |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1 |
|
|
| aliases |
BIT-airflow-2023-40273, CVE-2023-40273, GHSA-pm87-24wq-r8w9, PYSEC-2023-158
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2q7x-bua5-37h7 |
|
| 4 |
| url |
VCID-4693-xwwu-7uem |
| vulnerability_id |
VCID-4693-xwwu-7uem |
| summary |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/29501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-13T14:29:36Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/29501 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.5.2rc1 |
| purl |
pkg:pypi/apache-airflow@2.5.2rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-1tvn-y85f-jkb9 |
|
| 4 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 5 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 6 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 7 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 15 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 16 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 17 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 18 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 19 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 20 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 21 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 22 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 23 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 24 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 25 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 26 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 27 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 28 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 29 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 30 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 31 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 32 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 33 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 34 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 35 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.5.2 |
| purl |
pkg:pypi/apache-airflow@2.5.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-1tvn-y85f-jkb9 |
|
| 4 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 8 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 9 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 10 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 11 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 12 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 21 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 22 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 23 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 24 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 25 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 26 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 27 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 28 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 29 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 30 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 31 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 32 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 33 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 34 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2 |
|
|
| aliases |
BIT-airflow-2023-25695, CVE-2023-25695, GHSA-h6g5-wqqr-3mw3, PYSEC-2023-2
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4693-xwwu-7uem |
|
| 5 |
| url |
VCID-4btd-59ga-1yd4 |
| vulnerability_id |
VCID-4btd-59ga-1yd4 |
| summary |
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/30447 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T18:25:56Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/30447 |
|
| 5 |
| reference_url |
https://github.com/apache/airflow/pull/30779 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T18:25:56Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/30779 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.0 |
| purl |
pkg:pypi/apache-airflow@2.6.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-1tvn-y85f-jkb9 |
|
| 4 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 5 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 6 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 7 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 8 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 9 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 10 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 11 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 12 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 21 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 22 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 23 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 24 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 25 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 26 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 27 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 28 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 29 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 30 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 31 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 32 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0 |
|
|
| aliases |
BIT-airflow-2023-29247, CVE-2023-29247, GHSA-vcf6-3wv2-5vcr, PYSEC-2023-60
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4btd-59ga-1yd4 |
|
| 6 |
| url |
VCID-4u8d-ezsr-sqcz |
| vulnerability_id |
VCID-4u8d-ezsr-sqcz |
| summary |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/36255 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:45Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/36255 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.1rc1 |
| purl |
pkg:pypi/apache-airflow@2.8.1rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 2 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 3 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 4 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 5 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 6 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 7 |
| vulnerability |
VCID-k4r8-a72h-fkdf |
|
| 8 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 9 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 10 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 11 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 12 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 13 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 14 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.8.1 |
| purl |
pkg:pypi/apache-airflow@2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 2 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 3 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 4 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 5 |
| vulnerability |
VCID-k4r8-a72h-fkdf |
|
| 6 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 7 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 8 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 9 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 10 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 11 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 12 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1 |
|
|
| aliases |
BIT-airflow-2023-50943, CVE-2023-50943, GHSA-c3c6-f2ww-xfr2, PYSEC-2024-13
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4u8d-ezsr-sqcz |
|
| 7 |
| url |
VCID-5ph5-s3qc-guf4 |
| vulnerability_id |
VCID-5ph5-s3qc-guf4 |
| summary |
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.
Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.
This issue affects Apache Airflow Drill Provider: before 2.4.3.
It is recommended to upgrade to a version that is not affected. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/33074 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:34:02Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/33074 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.4.3 |
| purl |
pkg:pypi/apache-airflow@2.4.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 8 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 9 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 10 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 11 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 12 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 21 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 22 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 23 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 24 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 25 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 26 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 27 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 28 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 29 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 30 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 31 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 32 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 33 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 34 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3 |
|
|
| aliases |
CVE-2023-39553, GHSA-mq4v-6vg4-796c, PYSEC-2023-136
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5ph5-s3qc-guf4 |
|
| 8 |
| url |
VCID-5ufe-1rrj-rkgp |
| vulnerability_id |
VCID-5ufe-1rrj-rkgp |
| summary |
A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/22754 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T19:43:53Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/22754 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.3.1 |
| purl |
pkg:pypi/apache-airflow@2.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 15 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 16 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 17 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 18 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 19 |
| vulnerability |
VCID-fnsx-gtgn-27dr |
|
| 20 |
| vulnerability |
VCID-fut9-4dat-qbfy |
|
| 21 |
| vulnerability |
VCID-gg94-fdbv-y7g1 |
|
| 22 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 23 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 24 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 25 |
| vulnerability |
VCID-k7ea-m9cw-w3fz |
|
| 26 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 27 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 28 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 29 |
| vulnerability |
VCID-p42d-ta7v-7yhn |
|
| 30 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 31 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 32 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 33 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 34 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 35 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 36 |
| vulnerability |
VCID-swav-nrrn-wbcs |
|
| 37 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 38 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 39 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 40 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 41 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 42 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 43 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.1 |
|
|
| aliases |
BIT-airflow-2022-27949, CVE-2022-27949, GHSA-fvw2-2pf7-77vw, PYSEC-2022-42981
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5ufe-1rrj-rkgp |
|
| 9 |
| url |
VCID-6hxm-nnhg-buex |
| vulnerability_id |
VCID-6hxm-nnhg-buex |
| summary |
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.2.4 |
| purl |
pkg:pypi/apache-airflow@2.2.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-5ufe-1rrj-rkgp |
|
| 9 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 10 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 11 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 12 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 13 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 14 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 15 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 16 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 17 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 18 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 19 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 20 |
| vulnerability |
VCID-fnsx-gtgn-27dr |
|
| 21 |
| vulnerability |
VCID-fut9-4dat-qbfy |
|
| 22 |
| vulnerability |
VCID-gg94-fdbv-y7g1 |
|
| 23 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 24 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 25 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 26 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 27 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 28 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 29 |
| vulnerability |
VCID-p42d-ta7v-7yhn |
|
| 30 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 31 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 32 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 33 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 34 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 35 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 36 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 37 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 38 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 39 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 40 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 41 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 42 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4 |
|
|
| aliases |
BIT-airflow-2022-24288, CVE-2022-24288, GHSA-3v7g-4pg3-7r6j, PYSEC-2022-30
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6hxm-nnhg-buex |
|
| 10 |
| url |
VCID-7z8j-8f4d-53dm |
| vulnerability_id |
VCID-7z8j-8f4d-53dm |
| summary |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/32309 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-04T13:45:26Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/32309 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.3 |
| purl |
pkg:pypi/apache-airflow@2.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 26 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3 |
|
|
| aliases |
BIT-airflow-2022-46651, CVE-2022-46651, GHSA-xvw9-3mhm-xjqq, PYSEC-2023-103
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7z8j-8f4d-53dm |
|
| 11 |
| url |
VCID-82p8-yujf-hkdd |
| vulnerability_id |
VCID-82p8-yujf-hkdd |
| summary |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/36257 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-26T15:48:59Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/36257 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.1rc1 |
| purl |
pkg:pypi/apache-airflow@2.8.1rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 2 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 3 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 4 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 5 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 6 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 7 |
| vulnerability |
VCID-k4r8-a72h-fkdf |
|
| 8 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 9 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 10 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 11 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 12 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 13 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 14 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.8.1 |
| purl |
pkg:pypi/apache-airflow@2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 2 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 3 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 4 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 5 |
| vulnerability |
VCID-k4r8-a72h-fkdf |
|
| 6 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 7 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 8 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 9 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 10 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 11 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 12 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1 |
|
|
| aliases |
BIT-airflow-2023-50944, CVE-2023-50944, GHSA-vm5m-qmrx-fw8w, PYSEC-2024-14
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-82p8-yujf-hkdd |
|
| 12 |
| url |
VCID-8m3p-yzr8-yyhj |
| vulnerability_id |
VCID-8m3p-yzr8-yyhj |
| summary |
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/40933 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:36:00Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/40933 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
BIT-airflow-2024-41937, CVE-2024-41937, GHSA-w7cp-g8v7-r54m, PYSEC-2024-181
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8m3p-yzr8-yyhj |
|
| 13 |
| url |
VCID-8npr-rvfd-jkfj |
| vulnerability_id |
VCID-8npr-rvfd-jkfj |
| summary |
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.
Users should upgrade to version 2.7.1 or later which has removed the vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/33413 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-25T13:36:48Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/33413 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
http://www.openwall.com/lists/oss-security/2023/11/12/1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-25T13:36:48Z/ |
|
|
| url |
http://www.openwall.com/lists/oss-security/2023/11/12/1 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.1 |
| purl |
pkg:pypi/apache-airflow@2.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 3 |
| vulnerability |
VCID-63fw-ggbk-9ycy |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 7 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 8 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 9 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 10 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 11 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 12 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 13 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 14 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 15 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 16 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 17 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 18 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 19 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 20 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 21 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 22 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 23 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1 |
|
|
| aliases |
BIT-airflow-2023-40611, CVE-2023-40611, GHSA-wpg8-mf6h-gm92, PYSEC-2023-170
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8npr-rvfd-jkfj |
|
| 14 |
| url |
VCID-8ykk-1kak-6bfd |
| vulnerability_id |
VCID-8ykk-1kak-6bfd |
| summary |
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.2 |
| purl |
pkg:pypi/apache-airflow@2.7.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 3 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 4 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 5 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 6 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 7 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 8 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 9 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 10 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 11 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 12 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 13 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 14 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 15 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 16 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 17 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 18 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 19 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2 |
|
|
| aliases |
BIT-airflow-2023-42780, CVE-2023-42780, GHSA-cgx2-rrmr-jx43, PYSEC-2023-202
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8ykk-1kak-6bfd |
|
| 15 |
| url |
VCID-arbk-dryb-qkda |
| vulnerability_id |
VCID-arbk-dryb-qkda |
| summary |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.
Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://github.com/apache/airflow/pull/37501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T15:36:34Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/37501 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
http://www.openwall.com/lists/oss-security/2024/03/01/1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T15:36:34Z/ |
|
|
| url |
http://www.openwall.com/lists/oss-security/2024/03/01/1 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
BIT-airflow-2024-26280, CVE-2024-26280, GHSA-6xwf-xvf3-v459, PYSEC-2024-42
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-arbk-dryb-qkda |
|
| 16 |
| url |
VCID-ctd9-hxfn-8fcs |
| vulnerability_id |
VCID-ctd9-hxfn-8fcs |
| summary |
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.4.1rc1 |
| purl |
pkg:pypi/apache-airflow@2.4.1rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 15 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 16 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 17 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 18 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 19 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 20 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 21 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 22 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 23 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 24 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 25 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 26 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 27 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 28 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 29 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 30 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 31 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 32 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 33 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 34 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 35 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 36 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 37 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 38 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 39 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.1rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.4.2rc1 |
| purl |
pkg:pypi/apache-airflow@2.4.2rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 15 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 16 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 17 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 18 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 19 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 20 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 21 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 22 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 23 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 24 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 25 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 26 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 27 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 28 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 29 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 30 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 31 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 32 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 33 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 34 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 35 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 36 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 37 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 38 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2rc1 |
|
|
| aliases |
BIT-airflow-2022-41672, CVE-2022-41672, GHSA-3q8r-f3pj-3gc4, PYSEC-2022-42983
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ctd9-hxfn-8fcs |
|
| 17 |
| url |
VCID-d3kc-fn21-xqar |
| vulnerability_id |
VCID-d3kc-fn21-xqar |
| summary |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/32293 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-04T13:44:40Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/32293 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.3 |
| purl |
pkg:pypi/apache-airflow@2.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 26 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3 |
|
|
| aliases |
BIT-airflow-2023-22887, CVE-2023-22887, GHSA-ggwr-4vr8-g7wv, PYSEC-2023-104
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d3kc-fn21-xqar |
|
| 18 |
| url |
VCID-dk1y-938p-k3bv |
| vulnerability_id |
VCID-dk1y-938p-k3bv |
| summary |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/32293 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-04T13:48:07Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/32293 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.3 |
| purl |
pkg:pypi/apache-airflow@2.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 26 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3 |
|
|
| aliases |
BIT-airflow-2023-22888, CVE-2023-22888, GHSA-5946-8p38-vffp, PYSEC-2023-105
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dk1y-938p-k3bv |
|
| 19 |
| url |
VCID-e19b-adrm-x7fu |
| vulnerability_id |
VCID-e19b-adrm-x7fu |
| summary |
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.4.3 |
| purl |
pkg:pypi/apache-airflow@2.4.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 8 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 9 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 10 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 11 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 12 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 21 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 22 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 23 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 24 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 25 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 26 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 27 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 28 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 29 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 30 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 31 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 32 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 33 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 34 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3 |
|
|
| aliases |
BIT-airflow-2022-45402, CVE-2022-45402, GHSA-rg94-84xj-7gq3, PYSEC-2022-42984
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e19b-adrm-x7fu |
|
| 20 |
| url |
VCID-fctg-457f-4uae |
| vulnerability_id |
VCID-fctg-457f-4uae |
| summary |
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome.
Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/34939 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:20:08Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/34939 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.3 |
| purl |
pkg:pypi/apache-airflow@2.7.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 2 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 3 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 4 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 5 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 6 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 7 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 8 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 9 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 10 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 11 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 12 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 13 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 14 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 15 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 16 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 17 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3 |
|
|
| aliases |
BIT-airflow-2023-42781, CVE-2023-42781, GHSA-r7x6-xfcm-3mxv, PYSEC-2023-231
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fctg-457f-4uae |
|
| 21 |
| url |
VCID-fnsx-gtgn-27dr |
| vulnerability_id |
VCID-fnsx-gtgn-27dr |
| summary |
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/25960 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-30T18:58:19Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/25960 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.4.0 |
| purl |
pkg:pypi/apache-airflow@2.4.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 15 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 16 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 17 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 18 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 19 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 20 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 21 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 22 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 23 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 24 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 25 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 26 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 27 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 28 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 29 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 30 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 31 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 32 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 33 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 34 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 35 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 36 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 37 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 38 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 39 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.0 |
|
|
| aliases |
BIT-airflow-2022-40127, CVE-2022-40127, GHSA-6pw3-8h9w-32gc, PYSEC-2022-42982
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fnsx-gtgn-27dr |
|
| 22 |
| url |
VCID-gbgf-jfzt-tqg1 |
| vulnerability_id |
VCID-gbgf-jfzt-tqg1 |
| summary |
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/advisories/GHSA-65xw-pcqw-hjrh |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/advisories/GHSA-65xw-pcqw-hjrh |
|
| 2 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.2.4rc1 |
| purl |
pkg:pypi/apache-airflow@2.2.4rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-5ufe-1rrj-rkgp |
|
| 9 |
| vulnerability |
VCID-6hxm-nnhg-buex |
|
| 10 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 11 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 12 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 13 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 14 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 15 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 16 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 17 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 18 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 19 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 20 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 21 |
| vulnerability |
VCID-fnsx-gtgn-27dr |
|
| 22 |
| vulnerability |
VCID-gg94-fdbv-y7g1 |
|
| 23 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 24 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 25 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 26 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 27 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 28 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 29 |
| vulnerability |
VCID-p42d-ta7v-7yhn |
|
| 30 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 31 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 32 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 33 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 34 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 35 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 36 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 37 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 38 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 39 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 40 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 41 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 42 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4rc1 |
|
|
| aliases |
BIT-airflow-2021-45229, CVE-2021-45229, GHSA-65xw-pcqw-hjrh, PYSEC-2022-29
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gbgf-jfzt-tqg1 |
|
| 23 |
| url |
VCID-gg94-fdbv-y7g1 |
| vulnerability_id |
VCID-gg94-fdbv-y7g1 |
| summary |
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/30215 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-23T15:07:44Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/30215 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.3.2 |
| purl |
pkg:pypi/apache-airflow@2.3.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 15 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 16 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 17 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 18 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 19 |
| vulnerability |
VCID-fnsx-gtgn-27dr |
|
| 20 |
| vulnerability |
VCID-fut9-4dat-qbfy |
|
| 21 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 22 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 23 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 24 |
| vulnerability |
VCID-k7ea-m9cw-w3fz |
|
| 25 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 26 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 27 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 28 |
| vulnerability |
VCID-p42d-ta7v-7yhn |
|
| 29 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 30 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 31 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 32 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 33 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 34 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 35 |
| vulnerability |
VCID-swav-nrrn-wbcs |
|
| 36 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 37 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 38 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 39 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 40 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 41 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 42 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.2 |
|
|
| aliases |
CVE-2023-28707, GHSA-85pf-r4c7-3j9r, PYSEC-2023-3
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gg94-fdbv-y7g1 |
|
| 24 |
| url |
VCID-hgq2-kuex-y3a3 |
| vulnerability_id |
VCID-hgq2-kuex-y3a3 |
| summary |
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.2 |
| purl |
pkg:pypi/apache-airflow@2.7.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 3 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 4 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 5 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 6 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 7 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 8 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 9 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 10 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 11 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 12 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 13 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 14 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 15 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 16 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 17 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 18 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 19 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2 |
|
|
| aliases |
BIT-airflow-2023-42663, CVE-2023-42663, GHSA-32wr-qqw6-5mfp, PYSEC-2023-197
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hgq2-kuex-y3a3 |
|
| 25 |
| url |
VCID-hpf3-3z3m-6ydt |
| vulnerability_id |
VCID-hpf3-3z3m-6ydt |
| summary |
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.
Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.
This issue affects Apache Airflow: before 2.9.2.
Users are recommended to upgrade to version 2.9.2, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2024-25142, CVE-2024-25142, GHSA-9xpj-62mm-24h2, PYSEC-2024-195
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
5.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hpf3-3z3m-6ydt |
|
| 26 |
| url |
VCID-j6uh-kx6m-sydp |
| vulnerability_id |
VCID-j6uh-kx6m-sydp |
| summary |
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.
Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2026-25917, CVE-2026-25917, GHSA-6ffj-2wg2-w45j, PYSEC-2026-13
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j6uh-kx6m-sydp |
|
| 27 |
| url |
VCID-jrwf-mt69-1ydt |
| vulnerability_id |
VCID-jrwf-mt69-1ydt |
| summary |
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.2.0 |
| purl |
pkg:pypi/apache-airflow@2.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-5ufe-1rrj-rkgp |
|
| 9 |
| vulnerability |
VCID-6hxm-nnhg-buex |
|
| 10 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 11 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 12 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 13 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 14 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 15 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 16 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 17 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 18 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 19 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 20 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 21 |
| vulnerability |
VCID-fnsx-gtgn-27dr |
|
| 22 |
| vulnerability |
VCID-gbgf-jfzt-tqg1 |
|
| 23 |
| vulnerability |
VCID-gg94-fdbv-y7g1 |
|
| 24 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 25 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 26 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 27 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 28 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 29 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 30 |
| vulnerability |
VCID-p42d-ta7v-7yhn |
|
| 31 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 32 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 33 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 34 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 35 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 36 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 37 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 38 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 39 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 40 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 41 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 42 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 43 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.0 |
|
|
| aliases |
BIT-airflow-2021-45230, CVE-2021-45230, GHSA-4jh2-3c85-q67h, PYSEC-2022-11
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jrwf-mt69-1ydt |
|
| 28 |
| url |
VCID-kb4a-mm13-63bj |
| vulnerability_id |
VCID-kb4a-mm13-63bj |
| summary |
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2024-45784, CVE-2024-45784, GHSA-46c3-5xc5-wwhv, PYSEC-2024-182
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kb4a-mm13-63bj |
|
| 29 |
| url |
VCID-kgfb-yphg-n3ec |
| vulnerability_id |
VCID-kgfb-yphg-n3ec |
| summary |
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/29506 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-10T19:27:15Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/29506 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
http://www.openwall.com/lists/oss-security/2023/05/08/2 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-10T19:27:15Z/ |
|
|
| url |
http://www.openwall.com/lists/oss-security/2023/05/08/2 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.0b1 |
| purl |
pkg:pypi/apache-airflow@2.6.0b1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-1tvn-y85f-jkb9 |
|
| 4 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 8 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 9 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 10 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 11 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 12 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 21 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 22 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 23 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 24 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 25 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 26 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 27 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 28 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 29 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 30 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 31 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 32 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 33 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 34 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.6.0 |
| purl |
pkg:pypi/apache-airflow@2.6.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-1tvn-y85f-jkb9 |
|
| 4 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 5 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 6 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 7 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 8 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 9 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 10 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 11 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 12 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 21 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 22 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 23 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 24 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 25 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 26 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 27 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 28 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 29 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 30 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 31 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 32 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0 |
|
|
| aliases |
BIT-airflow-2023-25754, CVE-2023-25754, GHSA-jchm-fm4q-c2fp, PYSEC-2023-59
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kgfb-yphg-n3ec |
|
| 30 |
| url |
VCID-kjw8-c6cn-3kee |
| vulnerability_id |
VCID-kjw8-c6cn-3kee |
| summary |
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/advisories/GHSA-h88f-r7cw-8fv3 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/advisories/GHSA-h88f-r7cw-8fv3 |
|
| 2 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.1.3 |
| purl |
pkg:pypi/apache-airflow@2.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-5ufe-1rrj-rkgp |
|
| 9 |
| vulnerability |
VCID-6hxm-nnhg-buex |
|
| 10 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 11 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 12 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 13 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 14 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 15 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 16 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 17 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 18 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 19 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 20 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 21 |
| vulnerability |
VCID-fnsx-gtgn-27dr |
|
| 22 |
| vulnerability |
VCID-gbgf-jfzt-tqg1 |
|
| 23 |
| vulnerability |
VCID-gg94-fdbv-y7g1 |
|
| 24 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 25 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 26 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 27 |
| vulnerability |
VCID-jrwf-mt69-1ydt |
|
| 28 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 29 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 30 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 31 |
| vulnerability |
VCID-p42d-ta7v-7yhn |
|
| 32 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 33 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 34 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 35 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 36 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 37 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 38 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 39 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 40 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 41 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 42 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 43 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 44 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.1.3 |
|
|
| aliases |
BIT-airflow-2021-38540, CVE-2021-38540, GHSA-h88f-r7cw-8fv3, PYSEC-2021-326
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kjw8-c6cn-3kee |
|
| 31 |
| url |
VCID-nfbc-tutd-37bw |
| vulnerability_id |
VCID-nfbc-tutd-37bw |
| summary |
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.
This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.
Users are recommended to upgrade to 2.8.0, which fixes this issue |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.0 |
| purl |
pkg:pypi/apache-airflow@2.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 2 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 3 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 4 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 5 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 6 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 7 |
| vulnerability |
VCID-k4r8-a72h-fkdf |
|
| 8 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 9 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 10 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 11 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 12 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 13 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 14 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0 |
|
|
| aliases |
BIT-airflow-2023-50783, CVE-2023-50783, GHSA-5938-79hg-xh3q, PYSEC-2023-267
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nfbc-tutd-37bw |
|
| 32 |
| url |
VCID-p42d-ta7v-7yhn |
| vulnerability_id |
VCID-p42d-ta7v-7yhn |
| summary |
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/advisories/GHSA-q8h9-pqcx-59hw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/advisories/GHSA-q8h9-pqcx-59hw |
|
| 2 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
5.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.3.4 |
| purl |
pkg:pypi/apache-airflow@2.3.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-ctd9-hxfn-8fcs |
|
| 15 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 16 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 17 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 18 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 19 |
| vulnerability |
VCID-fnsx-gtgn-27dr |
|
| 20 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 21 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 22 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 23 |
| vulnerability |
VCID-k7ea-m9cw-w3fz |
|
| 24 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 25 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 26 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 27 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 28 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 29 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 30 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 31 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 32 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 33 |
| vulnerability |
VCID-swav-nrrn-wbcs |
|
| 34 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 35 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 36 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 37 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 38 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 39 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 40 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.4 |
|
|
| aliases |
BIT-airflow-2022-38170, CVE-2022-38170, GHSA-q8h9-pqcx-59hw, PYSEC-2022-261
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p42d-ta7v-7yhn |
|
| 33 |
| url |
VCID-pb3b-22wk-pbh5 |
| vulnerability_id |
VCID-pb3b-22wk-pbh5 |
| summary |
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0
This issue affects Apache Airflow: before 2.6.0. |
| references |
| 0 |
|
| 1 |
| reference_url |
http://seclists.org/fulldisclosure/2023/Jul/43 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-02T16:18:16Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2023/Jul/43 |
|
| 2 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/29706 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-02T16:18:16Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/29706 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.0b1 |
| purl |
pkg:pypi/apache-airflow@2.6.0b1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-1tvn-y85f-jkb9 |
|
| 4 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 8 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 9 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 10 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 11 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 12 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 21 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 22 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 23 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 24 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 25 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 26 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 27 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 28 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 29 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 30 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 31 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 32 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 33 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 34 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.6.0 |
| purl |
pkg:pypi/apache-airflow@2.6.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-1tvn-y85f-jkb9 |
|
| 4 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 5 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 6 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 7 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 8 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 9 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 10 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 11 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 12 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 13 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 14 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 15 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 16 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 17 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 18 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 19 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 20 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 21 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 22 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 23 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 24 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 25 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 26 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 27 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 28 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 29 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 30 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 31 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 32 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0 |
|
|
| aliases |
BIT-airflow-2023-39508, CVE-2023-39508, GHSA-269x-pg5c-5xgm, PYSEC-2023-134
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pb3b-22wk-pbh5 |
|
| 34 |
| url |
VCID-pmtw-nwnc-nyfw |
| vulnerability_id |
VCID-pmtw-nwnc-nyfw |
| summary |
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.2 |
| purl |
pkg:pypi/apache-airflow@2.7.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 3 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 4 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 5 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 6 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 7 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 8 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 9 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 10 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 11 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 12 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 13 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 14 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 15 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 16 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 17 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 18 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 19 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2 |
|
|
| aliases |
BIT-airflow-2023-42792, CVE-2023-42792, GHSA-j3w8-2p2h-mrr9, PYSEC-2023-203
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pmtw-nwnc-nyfw |
|
| 35 |
| url |
VCID-pqgj-ry81-6ua3 |
| vulnerability_id |
VCID-pqgj-ry81-6ua3 |
| summary |
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/27143 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-02T20:26:33Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/27143 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.4.2rc1 |
| purl |
pkg:pypi/apache-airflow@2.4.2rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 15 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 16 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 17 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 18 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 19 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 20 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 21 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 22 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 23 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 24 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 25 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 26 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 27 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 28 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 29 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 30 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 31 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 32 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 33 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 34 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 35 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 36 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 37 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 38 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.4.2 |
| purl |
pkg:pypi/apache-airflow@2.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 15 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 16 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 17 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 18 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 19 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 20 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 21 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 22 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 23 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 24 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 25 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 26 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 27 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 28 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 29 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 30 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 31 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 32 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 33 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 34 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 35 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 36 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2 |
|
|
| aliases |
BIT-airflow-2022-43985, CVE-2022-43985, GHSA-f9fq-78ch-4wmj, PYSEC-2022-42971
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pqgj-ry81-6ua3 |
|
| 36 |
| url |
VCID-qxnw-7urw-fud2 |
| vulnerability_id |
VCID-qxnw-7urw-fud2 |
| summary |
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/27143 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-02T20:27:33Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/27143 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.4.2rc1 |
| purl |
pkg:pypi/apache-airflow@2.4.2rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 15 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 16 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 17 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 18 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 19 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 20 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 21 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 22 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 23 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 24 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 25 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 26 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 27 |
| vulnerability |
VCID-pqgj-ry81-6ua3 |
|
| 28 |
| vulnerability |
VCID-qxnw-7urw-fud2 |
|
| 29 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 30 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 31 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 32 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 33 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 34 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 35 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 36 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 37 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 38 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.4.2 |
| purl |
pkg:pypi/apache-airflow@2.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-1ptn-xvsy-d3hu |
|
| 3 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 4 |
| vulnerability |
VCID-4693-xwwu-7uem |
|
| 5 |
| vulnerability |
VCID-4btd-59ga-1yd4 |
|
| 6 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 7 |
| vulnerability |
VCID-5ph5-s3qc-guf4 |
|
| 8 |
| vulnerability |
VCID-7z8j-8f4d-53dm |
|
| 9 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 10 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 11 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 12 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 13 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 14 |
| vulnerability |
VCID-d3kc-fn21-xqar |
|
| 15 |
| vulnerability |
VCID-dk1y-938p-k3bv |
|
| 16 |
| vulnerability |
VCID-e19b-adrm-x7fu |
|
| 17 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 18 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 19 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 20 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 21 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 22 |
| vulnerability |
VCID-kgfb-yphg-n3ec |
|
| 23 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 24 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 25 |
| vulnerability |
VCID-pb3b-22wk-pbh5 |
|
| 26 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 27 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 28 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 29 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 30 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 31 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 32 |
| vulnerability |
VCID-vy44-rbar-w3fn |
|
| 33 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 34 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 35 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 36 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2 |
|
|
| aliases |
BIT-airflow-2022-43982, CVE-2022-43982, GHSA-h63r-9xxf-f2c7, PYSEC-2022-42970
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qxnw-7urw-fud2 |
|
| 37 |
| url |
VCID-rysu-xhvt-yqda |
| vulnerability_id |
VCID-rysu-xhvt-yqda |
| summary |
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.
This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2
Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.0 |
| purl |
pkg:pypi/apache-airflow@2.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 1 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 2 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 3 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 4 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 5 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 6 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 7 |
| vulnerability |
VCID-k4r8-a72h-fkdf |
|
| 8 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 9 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 10 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 11 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 12 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 13 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 14 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0 |
|
|
| aliases |
BIT-airflow-2023-48291, CVE-2023-48291, GHSA-8f57-wcmg-4jmh, PYSEC-2023-265
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rysu-xhvt-yqda |
|
| 38 |
| url |
VCID-s49h-br5r-5yh8 |
| vulnerability_id |
VCID-s49h-br5r-5yh8 |
| summary |
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.
Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/33512 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:02:02Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/33512 |
|
| 5 |
| reference_url |
https://github.com/apache/airflow/pull/33516 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:02:02Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/33516 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.1 |
| purl |
pkg:pypi/apache-airflow@2.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 3 |
| vulnerability |
VCID-63fw-ggbk-9ycy |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 7 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 8 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 9 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 10 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 11 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 12 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 13 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 14 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 15 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 16 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 17 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 18 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 19 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 20 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 21 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 22 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 23 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1 |
|
|
| aliases |
BIT-airflow-2023-40712, CVE-2023-40712, GHSA-mjqh-v5f2-g2mw, PYSEC-2023-171
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s49h-br5r-5yh8 |
|
| 39 |
| url |
VCID-tpjn-4kru-vucv |
| vulnerability_id |
VCID-tpjn-4kru-vucv |
| summary |
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/apache/airflow/pull/63028 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:56:44Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/63028 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
BIT-airflow-2026-30912, CVE-2026-30912, GHSA-w7cf-2pmc-5m4c, PYSEC-2026-18
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tpjn-4kru-vucv |
|
| 40 |
| url |
VCID-vj7z-pmk3-cydg |
| vulnerability_id |
VCID-vj7z-pmk3-cydg |
| summary |
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/32052 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T20:30:43Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/32052 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.7.0b1 |
| purl |
pkg:pypi/apache-airflow@2.7.0b1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 26 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0b1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.7.0 |
| purl |
pkg:pypi/apache-airflow@2.7.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-63fw-ggbk-9ycy |
|
| 5 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 6 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 7 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 8 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 9 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 10 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 11 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 12 |
| vulnerability |
VCID-g9j4-fhpm-uuba |
|
| 13 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 14 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 15 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 16 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 17 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 18 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 19 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 20 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 21 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 22 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 23 |
| vulnerability |
VCID-unq1-wwfg-6ydk |
|
| 24 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 25 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 26 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 27 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0 |
|
|
| aliases |
BIT-airflow-2023-37379, CVE-2023-37379, GHSA-x2mh-8fmc-rqgh, PYSEC-2023-152
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vj7z-pmk3-cydg |
|
| 41 |
| url |
VCID-vras-f42j-xqfg |
| vulnerability_id |
VCID-vras-f42j-xqfg |
| summary |
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.
Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2025-68675, CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vras-f42j-xqfg |
|
| 42 |
| url |
VCID-vy44-rbar-w3fn |
| vulnerability_id |
VCID-vy44-rbar-w3fn |
| summary |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/airflow/pull/32014 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-04T13:43:45Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/32014 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.6.3 |
| purl |
pkg:pypi/apache-airflow@2.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1963-1kyn-2ban |
|
| 1 |
| vulnerability |
VCID-1azm-hsvr-f3e8 |
|
| 2 |
| vulnerability |
VCID-2q7x-bua5-37h7 |
|
| 3 |
| vulnerability |
VCID-4u8d-ezsr-sqcz |
|
| 4 |
| vulnerability |
VCID-82p8-yujf-hkdd |
|
| 5 |
| vulnerability |
VCID-8m3p-yzr8-yyhj |
|
| 6 |
| vulnerability |
VCID-8npr-rvfd-jkfj |
|
| 7 |
| vulnerability |
VCID-8ykk-1kak-6bfd |
|
| 8 |
| vulnerability |
VCID-arbk-dryb-qkda |
|
| 9 |
| vulnerability |
VCID-cxqa-pqca-pqgc |
|
| 10 |
| vulnerability |
VCID-fctg-457f-4uae |
|
| 11 |
| vulnerability |
VCID-hgq2-kuex-y3a3 |
|
| 12 |
| vulnerability |
VCID-hpf3-3z3m-6ydt |
|
| 13 |
| vulnerability |
VCID-j6uh-kx6m-sydp |
|
| 14 |
| vulnerability |
VCID-kb4a-mm13-63bj |
|
| 15 |
| vulnerability |
VCID-mbgq-fq5n-kufh |
|
| 16 |
| vulnerability |
VCID-nfbc-tutd-37bw |
|
| 17 |
| vulnerability |
VCID-pmtw-nwnc-nyfw |
|
| 18 |
| vulnerability |
VCID-rysu-xhvt-yqda |
|
| 19 |
| vulnerability |
VCID-s49h-br5r-5yh8 |
|
| 20 |
| vulnerability |
VCID-tpjn-4kru-vucv |
|
| 21 |
| vulnerability |
VCID-vj7z-pmk3-cydg |
|
| 22 |
| vulnerability |
VCID-vras-f42j-xqfg |
|
| 23 |
| vulnerability |
VCID-w8ff-8479-rbfq |
|
| 24 |
| vulnerability |
VCID-xwza-guvs-83a9 |
|
| 25 |
| vulnerability |
VCID-yrx8-dtav-83av |
|
| 26 |
| vulnerability |
VCID-z5b8-kcbh-m7hr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3 |
|
|
| aliases |
BIT-airflow-2023-35908, CVE-2023-35908, GHSA-2h84-3crq-vgfj, PYSEC-2023-119
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vy44-rbar-w3fn |
|
| 43 |
| url |
VCID-w8ff-8479-rbfq |
| vulnerability_id |
VCID-w8ff-8479-rbfq |
| summary |
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author.
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/41672 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T13:50:48Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/41672 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
BIT-airflow-2024-45034, CVE-2024-45034, GHSA-92xg-gmrq-5c3w, PYSEC-2024-212
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w8ff-8479-rbfq |
|
| 44 |
| url |
VCID-xwza-guvs-83a9 |
| vulnerability_id |
VCID-xwza-guvs-83a9 |
| summary |
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/40475 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T19:39:48Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/40475 |
|
| 4 |
|
| 5 |
| reference_url |
https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T19:39:48Z/ |
|
|
| url |
https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
BIT-airflow-2024-39863, CVE-2024-39863, GHSA-j482-47xf-p25c, PYSEC-2024-189
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xwza-guvs-83a9 |
|
| 45 |
| url |
VCID-yrx8-dtav-83av |
| vulnerability_id |
VCID-yrx8-dtav-83av |
| summary |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.
Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/apache/airflow/pull/37290 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:43:33Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/37290 |
|
| 12 |
| reference_url |
https://github.com/apache/airflow/pull/37468 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:43:33Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/37468 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
BIT-airflow-2024-27906, CVE-2024-27906, GHSA-6v6w-h8m6-7mv2, PYSEC-2024-245
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yrx8-dtav-83av |
|
|
|---|