Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/26396?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/26396?format=api", "purl": "pkg:pypi/apache-airflow@2.2.0", "type": "pypi", "namespace": "", "name": "apache-airflow", "version": "2.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.2.0", "latest_non_vulnerable_version": "3.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36041?format=api", "vulnerability_id": "VCID-2fnz-jqpe-nuau", "summary": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh" }, { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml" }, { "reference_url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45229", "reference_id": "CVE-2021-45229", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45229" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26750?format=api", "purl": "pkg:pypi/apache-airflow@2.2.4rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4rc1" } ], "aliases": [ "CVE-2021-45229", "GHSA-65xw-pcqw-hjrh", "PYSEC-2022-29" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2fnz-jqpe-nuau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37294?format=api", "vulnerability_id": "VCID-2xr2-w3hk-auck", "summary": "Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/61641", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/61641" }, { "reference_url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-25917", "PYSEC-2026-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36291?format=api", "vulnerability_id": "VCID-2ysx-9hz5-fyfm", "summary": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/27143", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/27143" }, { "reference_url": "https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29670?format=api", "purl": "pkg:pypi/apache-airflow@2.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2" } ], "aliases": [ "CVE-2022-43985", "PYSEC-2022-42971" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ysx-9hz5-fyfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36650?format=api", "vulnerability_id": "VCID-3h3z-bfsc-jqax", "summary": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.\nThis flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.\nUsers are recommended to upgrade to 2.8.0, which fixes this issue", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929" }, { "reference_url": "https://github.com/apache/airflow/pull/33932", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/apache/airflow/pull/33932" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml" }, { "reference_url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/21/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/21/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50783", "reference_id": "CVE-2023-50783", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50783" }, { "reference_url": "https://github.com/advisories/GHSA-5938-79hg-xh3q", "reference_id": "GHSA-5938-79hg-xh3q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5938-79hg-xh3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32013?format=api", "purl": "pkg:pypi/apache-airflow@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0" } ], "aliases": [ "CVE-2023-50783", "GHSA-5938-79hg-xh3q", "PYSEC-2023-267" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3h3z-bfsc-jqax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36700?format=api", "vulnerability_id": "VCID-4ga6-4111-dyc9", "summary": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1" }, { "reference_url": "https://github.com/apache/airflow/pull/36257", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/36257" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml" }, { "reference_url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50944", "reference_id": "CVE-2023-50944", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50944" }, { "reference_url": "https://github.com/advisories/GHSA-vm5m-qmrx-fw8w", "reference_id": "GHSA-vm5m-qmrx-fw8w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vm5m-qmrx-fw8w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32014?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32015?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1" } ], "aliases": [ "CVE-2023-50944", "GHSA-vm5m-qmrx-fw8w", "PYSEC-2024-14" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36311?format=api", "vulnerability_id": "VCID-4xax-xw67-2qfv", "summary": "A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/22754", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/22754" }, { "reference_url": "https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/11/14/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/11/14/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29109?format=api", "purl": "pkg:pypi/apache-airflow@2.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4bps-htex-tqgk" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5nys-mzgw-4khd" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6pk8-baws-e3dt" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.1" } ], "aliases": [ "CVE-2022-27949", "PYSEC-2022-42981" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4xax-xw67-2qfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36861?format=api", "vulnerability_id": "VCID-56eq-awhd-d3fr", "summary": "Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. \nUsers are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/41672", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/41672" }, { "reference_url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/09/06/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/09/06/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32042?format=api", "purl": "pkg:pypi/apache-airflow@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1" } ], "aliases": [ "CVE-2024-45034", "PYSEC-2024-212" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36572?format=api", "vulnerability_id": "VCID-5cpd-kjpb-ekhv", "summary": "Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/34315", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/34315" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml" }, { "reference_url": "https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42663", "reference_id": "CVE-2023-42663", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42663" }, { "reference_url": "https://github.com/advisories/GHSA-32wr-qqw6-5mfp", "reference_id": "GHSA-32wr-qqw6-5mfp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-32wr-qqw6-5mfp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42663", "GHSA-32wr-qqw6-5mfp", "PYSEC-2023-197" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5cpd-kjpb-ekhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36290?format=api", "vulnerability_id": "VCID-5yxa-ubfq-fqdx", "summary": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/27143", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/27143" }, { "reference_url": "https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29670?format=api", "purl": "pkg:pypi/apache-airflow@2.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2" } ], "aliases": [ "CVE-2022-43982", "PYSEC-2022-42970" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5yxa-ubfq-fqdx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36544?format=api", "vulnerability_id": "VCID-5zmy-2ape-7qfa", "summary": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.\n\nUsers are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e" }, { "reference_url": "https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148" }, { "reference_url": "https://github.com/apache/airflow/pull/33512", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33512" }, { "reference_url": "https://github.com/apache/airflow/pull/33516", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33516" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml" }, { "reference_url": "https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40712", "reference_id": "CVE-2023-40712", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40712" }, { "reference_url": "https://github.com/advisories/GHSA-mjqh-v5f2-g2mw", "reference_id": "GHSA-mjqh-v5f2-g2mw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mjqh-v5f2-g2mw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32003?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1" } ], "aliases": [ "CVE-2023-40712", "GHSA-mjqh-v5f2-g2mw", "PYSEC-2023-171" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5zmy-2ape-7qfa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36517?format=api", "vulnerability_id": "VCID-6gjt-zsju-47a3", "summary": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.\n\nApache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.\nThis issue affects Apache Airflow Drill Provider: before 2.4.3.\nIt is recommended to upgrade to a version that is not affected.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/394a727ac2c18d58978bf186a7a92923460ec110" }, { "reference_url": "https://github.com/apache/airflow/pull/33074", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33074" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-136.yaml" }, { "reference_url": "https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/08/11/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2023/08/11/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/08/11/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/08/11/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39553", "reference_id": "CVE-2023-39553", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39553" }, { "reference_url": "https://github.com/advisories/GHSA-mq4v-6vg4-796c", "reference_id": "GHSA-mq4v-6vg4-796c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mq4v-6vg4-796c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29765?format=api", "purl": "pkg:pypi/apache-airflow@2.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3" } ], "aliases": [ "CVE-2023-39553", "GHSA-mq4v-6vg4-796c", "PYSEC-2023-136" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6gjt-zsju-47a3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36744?format=api", "vulnerability_id": "VCID-6vg9-hu9u-q7c3", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b" }, { "reference_url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9" }, { "reference_url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7" }, { "reference_url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a" }, { "reference_url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326" }, { "reference_url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446" }, { "reference_url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24" }, { "reference_url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2" }, { "reference_url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4" }, { "reference_url": "https://github.com/apache/airflow/pull/37290", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37290" }, { "reference_url": "https://github.com/apache/airflow/pull/37468", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37468" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml" }, { "reference_url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/29/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/02/29/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906", "reference_id": "CVE-2024-27906", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906" }, { "reference_url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2", "reference_id": "GHSA-6v6w-h8m6-7mv2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-27906", "GHSA-6v6w-h8m6-7mv2", "PYSEC-2024-245" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36486?format=api", "vulnerability_id": "VCID-71hr-1ews-9qa6", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db" }, { "reference_url": "https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352" }, { "reference_url": "https://github.com/apache/airflow/pull/32014", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32014" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml" }, { "reference_url": "https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35908", "reference_id": "CVE-2023-35908", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35908" }, { "reference_url": "https://github.com/advisories/GHSA-2h84-3crq-vgfj", "reference_id": "GHSA-2h84-3crq-vgfj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2h84-3crq-vgfj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-35908", "GHSA-2h84-3crq-vgfj", "PYSEC-2023-119" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-71hr-1ews-9qa6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36745?format=api", "vulnerability_id": "VCID-835a-arqz-g7h7", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa" }, { "reference_url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99" }, { "reference_url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e" }, { "reference_url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d" }, { "reference_url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f" }, { "reference_url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c" }, { "reference_url": "https://github.com/apache/airflow/pull/37501", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37501" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml" }, { "reference_url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280", "reference_id": "CVE-2024-26280", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280" }, { "reference_url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459", "reference_id": "GHSA-6xwf-xvf3-v459", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-26280", "GHSA-6xwf-xvf3-v459", "PYSEC-2024-42" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37295?format=api", "vulnerability_id": "VCID-91n6-evww-zybp", "summary": "In case of SQL errors, exception/stack trace of errors was exposed in API even if \"api/expose_stack_traces\" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/63028", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/63028" }, { "reference_url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-30912", "PYSEC-2026-18" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36607?format=api", "vulnerability_id": "VCID-98yf-mvnw-d3b4", "summary": "Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome.\nUsers of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3" }, { "reference_url": "https://github.com/apache/airflow/pull/34939", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/34939" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml" }, { "reference_url": "https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42781", "reference_id": "CVE-2023-42781", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42781" }, { "reference_url": "https://github.com/advisories/GHSA-r7x6-xfcm-3mxv", "reference_id": "GHSA-r7x6-xfcm-3mxv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r7x6-xfcm-3mxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32007?format=api", "purl": "pkg:pypi/apache-airflow@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3" } ], "aliases": [ "CVE-2023-42781", "GHSA-r7x6-xfcm-3mxv", "PYSEC-2023-231" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-98yf-mvnw-d3b4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36699?format=api", "vulnerability_id": "VCID-amac-hqnj-xfgz", "summary": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462" }, { "reference_url": "https://github.com/apache/airflow/pull/36255", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/36255" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml" }, { "reference_url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50943", "reference_id": "CVE-2023-50943", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50943" }, { "reference_url": "https://github.com/advisories/GHSA-c3c6-f2ww-xfr2", "reference_id": "GHSA-c3c6-f2ww-xfr2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c3c6-f2ww-xfr2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32014?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32015?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1" } ], "aliases": [ "CVE-2023-50943", "GHSA-c3c6-f2ww-xfr2", "PYSEC-2024-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36510?format=api", "vulnerability_id": "VCID-b3w3-h9cm-ufgm", "summary": "Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The \"Run Task\" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The \"Run Task\" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0\n\nThis issue affects Apache Airflow: before 2.6.0.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/101d59c4b88ab979d305b8d96f612c27c8a44aa8" }, { "reference_url": "https://github.com/apache/airflow/pull/29706", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/29706" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-134.yaml" }, { "reference_url": "https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39508", "reference_id": "CVE-2023-39508", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39508" }, { "reference_url": "https://github.com/advisories/GHSA-269x-pg5c-5xgm", "reference_id": "GHSA-269x-pg5c-5xgm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-269x-pg5c-5xgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31981?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/31987?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0" } ], "aliases": [ "CVE-2023-39508", "GHSA-269x-pg5c-5xgm", "PYSEC-2023-134" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3w3-h9cm-ufgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36526?format=api", "vulnerability_id": "VCID-cahz-4dy7-bbe9", "summary": "The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).\n\nWith this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.\n\nUsers of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6" }, { "reference_url": "https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b" }, { "reference_url": "https://github.com/apache/airflow/pull/33347", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/33347" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml" }, { "reference_url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/08/23/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.openwall.com/lists/oss-security/2023/08/23/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40273", "reference_id": "CVE-2023-40273", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40273" }, { "reference_url": "https://github.com/advisories/GHSA-pm87-24wq-r8w9", "reference_id": "GHSA-pm87-24wq-r8w9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pm87-24wq-r8w9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31999?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/32001?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1" } ], "aliases": [ "CVE-2023-40273", "GHSA-pm87-24wq-r8w9", "PYSEC-2023-158" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cahz-4dy7-bbe9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36389?format=api", "vulnerability_id": "VCID-dh4r-77xc-cbas", "summary": "Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.\n\nThis issue affects Apache Airflow Sqoop Provider versions before 3.1.1.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/29500", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/29500" }, { "reference_url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693", "reference_id": "CVE-2023-25693", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693" }, { "reference_url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf", "reference_id": "GHSA-j69x-v4wc-3fpf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32098?format=api", "purl": "pkg:pypi/apache-airflow@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-ezmu-8g1y-e3hz" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-snqz-3f8t-syhd" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1" } ], "aliases": [ "CVE-2023-25693", "GHSA-j69x-v4wc-3fpf", "PYSEC-2023-314" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36484?format=api", "vulnerability_id": "VCID-ez45-qkb4-xkba", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8" }, { "reference_url": "https://github.com/apache/airflow/pull/32309", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32309" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml" }, { "reference_url": "https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46651", "reference_id": "CVE-2022-46651", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46651" }, { "reference_url": "https://github.com/advisories/GHSA-xvw9-3mhm-xjqq", "reference_id": "GHSA-xvw9-3mhm-xjqq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xvw9-3mhm-xjqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2022-46651", "GHSA-xvw9-3mhm-xjqq", "PYSEC-2023-103" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ez45-qkb4-xkba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36608?format=api", "vulnerability_id": "VCID-fbjk-2uvy-mqfc", "summary": "We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. \n\nApache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. \n\nUsers should upgrade to version 2.7.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad" }, { "reference_url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef" }, { "reference_url": "https://github.com/apache/airflow/pull/33413", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33413" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml" }, { "reference_url": "https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47037", "reference_id": "CVE-2023-47037", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47037" }, { "reference_url": "https://github.com/advisories/GHSA-hm9r-7f84-25c9", "reference_id": "GHSA-hm9r-7f84-25c9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hm9r-7f84-25c9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32007?format=api", "purl": "pkg:pypi/apache-airflow@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3" } ], "aliases": [ "CVE-2023-47037", "GHSA-hm9r-7f84-25c9", "PYSEC-2023-232" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fbjk-2uvy-mqfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36180?format=api", "vulnerability_id": "VCID-gz6e-b7dz-5qdf", "summary": "In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-q8h9-pqcx-59hw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q8h9-pqcx-59hw" }, { "reference_url": "https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/09/02/12", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/09/02/12" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/09/02/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/09/02/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29118?format=api", "purl": "pkg:pypi/apache-airflow@2.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4bps-htex-tqgk" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6pk8-baws-e3dt" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.4" } ], "aliases": [ "CVE-2022-38170", "GHSA-q8h9-pqcx-59hw", "PYSEC-2022-261" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gz6e-b7dz-5qdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36487?format=api", "vulnerability_id": "VCID-h6sp-398p-pbeg", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02" }, { "reference_url": "https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3" }, { "reference_url": "https://github.com/apache/airflow/pull/32293", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32293" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml" }, { "reference_url": "https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22887", "reference_id": "CVE-2023-22887", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22887" }, { "reference_url": "https://github.com/advisories/GHSA-ggwr-4vr8-g7wv", "reference_id": "GHSA-ggwr-4vr8-g7wv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggwr-4vr8-g7wv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-22887", "GHSA-ggwr-4vr8-g7wv", "PYSEC-2023-104" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h6sp-398p-pbeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36402?format=api", "vulnerability_id": "VCID-hah6-e5fc-juc5", "summary": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951" }, { "reference_url": "https://github.com/apache/airflow/pull/29501", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/29501" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml" }, { "reference_url": "https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25695", "reference_id": "CVE-2023-25695", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25695" }, { "reference_url": "https://github.com/advisories/GHSA-h6g5-wqqr-3mw3", "reference_id": "GHSA-h6g5-wqqr-3mw3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h6g5-wqqr-3mw3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31975?format=api", "purl": "pkg:pypi/apache-airflow@2.5.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/31977?format=api", "purl": "pkg:pypi/apache-airflow@2.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.5.2" } ], "aliases": [ "CVE-2023-25695", "GHSA-h6g5-wqqr-3mw3", "PYSEC-2023-2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hah6-e5fc-juc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36488?format=api", "vulnerability_id": "VCID-hy75-nfg7-zfae", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02" }, { "reference_url": "https://github.com/apache/airflow/pull/32293", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32293" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml" }, { "reference_url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22888", "reference_id": "CVE-2023-22888", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22888" }, { "reference_url": "https://github.com/advisories/GHSA-5946-8p38-vffp", "reference_id": "GHSA-5946-8p38-vffp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5946-8p38-vffp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-22888", "GHSA-5946-8p38-vffp", "PYSEC-2023-105" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hy75-nfg7-zfae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36651?format=api", "vulnerability_id": "VCID-j86y-n37n-n7ft", "summary": "Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nThis is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 \n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c" }, { "reference_url": "https://github.com/apache/airflow/pull/34366", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/34366" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml" }, { "reference_url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/21/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/21/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48291", "reference_id": "CVE-2023-48291", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48291" }, { "reference_url": "https://github.com/advisories/GHSA-8f57-wcmg-4jmh", "reference_id": "GHSA-8f57-wcmg-4jmh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8f57-wcmg-4jmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32013?format=api", "purl": "pkg:pypi/apache-airflow@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0" } ], "aliases": [ "CVE-2023-48291", "GHSA-8f57-wcmg-4jmh", "PYSEC-2023-265" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j86y-n37n-n7ft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36258?format=api", "vulnerability_id": "VCID-kh46-xrgm-9udx", "summary": "In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/26635", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/26635" }, { "reference_url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29467?format=api", "purl": "pkg:pypi/apache-airflow@2.4.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.2rc1" } ], "aliases": [ "CVE-2022-41672", "PYSEC-2022-42983" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kh46-xrgm-9udx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36856?format=api", "vulnerability_id": "VCID-mcbu-b45m-k3ck", "summary": "Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.\nUsers should upgrade to 2.10.0 or later, which fixes this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/40933", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/40933" }, { "reference_url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/08/21/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/08/21/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32040?format=api", "purl": "pkg:pypi/apache-airflow@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0" } ], "aliases": [ "CVE-2024-41937", "PYSEC-2024-181" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36575?format=api", "vulnerability_id": "VCID-njyy-ywer-x7bf", "summary": "Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/34366", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/apache/airflow/pull/34366" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml" }, { "reference_url": "https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42792", "reference_id": "CVE-2023-42792", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42792" }, { "reference_url": "https://github.com/advisories/GHSA-j3w8-2p2h-mrr9", "reference_id": "GHSA-j3w8-2p2h-mrr9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j3w8-2p2h-mrr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42792", "GHSA-j3w8-2p2h-mrr9", "PYSEC-2023-203" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-njyy-ywer-x7bf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36040?format=api", "vulnerability_id": "VCID-pybp-gfy8-2qcr", "summary": "In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-3v7g-4pg3-7r6j", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3v7g-4pg3-7r6j" }, { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml" }, { "reference_url": "https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24288", "reference_id": "CVE-2022-24288", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24288" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26751?format=api", "purl": "pkg:pypi/apache-airflow@2.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5nys-mzgw-4khd" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.4" } ], "aliases": [ "CVE-2022-24288", "GHSA-3v7g-4pg3-7r6j", "PYSEC-2022-30" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pybp-gfy8-2qcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36545?format=api", "vulnerability_id": "VCID-pypb-cezm-rkb2", "summary": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.\n\nUsers should upgrade to version 2.7.1 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad" }, { "reference_url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef" }, { "reference_url": "https://github.com/apache/airflow/pull/33413", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33413" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml" }, { "reference_url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611", "reference_id": "CVE-2023-40611", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611" }, { "reference_url": "https://github.com/advisories/GHSA-wpg8-mf6h-gm92", "reference_id": "GHSA-wpg8-mf6h-gm92", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wpg8-mf6h-gm92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32003?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1" } ], "aliases": [ "CVE-2023-40611", "GHSA-wpg8-mf6h-gm92", "PYSEC-2023-170" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pypb-cezm-rkb2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36310?format=api", "vulnerability_id": "VCID-q84t-8dac-93dm", "summary": "A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/25960", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/25960" }, { "reference_url": "https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/11/14/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/11/14/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29464?format=api", "purl": "pkg:pypi/apache-airflow@2.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.0" } ], "aliases": [ "CVE-2022-40127", "PYSEC-2022-42982" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q84t-8dac-93dm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36313?format=api", "vulnerability_id": "VCID-qehu-58hj-67gn", "summary": "In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/27576", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/27576" }, { "reference_url": "https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/11/15/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29765?format=api", "purl": "pkg:pypi/apache-airflow@2.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.4.3" } ], "aliases": [ "CVE-2022-45402", "PYSEC-2022-42984" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qehu-58hj-67gn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36436?format=api", "vulnerability_id": "VCID-qmpd-946c-gqbc", "summary": "Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/18347d36e67894604436f3ef47d273532683b473" }, { "reference_url": "https://github.com/apache/airflow/pull/29506", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/29506" }, { "reference_url": "https://github.com/apache/airflow/releases/tag/2.6.0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/releases/tag/2.6.0" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-59.yaml" }, { "reference_url": "https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/05/08/2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2023/05/08/2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25754", "reference_id": "CVE-2023-25754", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25754" }, { "reference_url": "https://github.com/advisories/GHSA-jchm-fm4q-c2fp", "reference_id": "GHSA-jchm-fm4q-c2fp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jchm-fm4q-c2fp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31981?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/31987?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0" } ], "aliases": [ "CVE-2023-25754", "GHSA-jchm-fm4q-c2fp", "PYSEC-2023-59" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmpd-946c-gqbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36415?format=api", "vulnerability_id": "VCID-qr9h-6dg8-gkh3", "summary": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/63d9b24aad0b4b9397682ddac1ea5824354789b3" }, { "reference_url": "https://github.com/apache/airflow/pull/30215", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/30215" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-3.yaml" }, { "reference_url": "https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/04/07/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2023/04/07/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28707", "reference_id": "CVE-2023-28707", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28707" }, { "reference_url": "https://github.com/advisories/GHSA-85pf-r4c7-3j9r", "reference_id": "GHSA-85pf-r4c7-3j9r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-85pf-r4c7-3j9r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29112?format=api", "purl": "pkg:pypi/apache-airflow@2.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4bps-htex-tqgk" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5nys-mzgw-4khd" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6pk8-baws-e3dt" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.2" } ], "aliases": [ "CVE-2023-28707", "GHSA-85pf-r4c7-3j9r", "PYSEC-2023-3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qr9h-6dg8-gkh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36527?format=api", "vulnerability_id": "VCID-ryct-uaw3-fyfc", "summary": "Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603" }, { "reference_url": "https://github.com/apache/airflow/pull/32052", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "https://github.com/apache/airflow/pull/32052" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml" }, { "reference_url": "https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/08/23/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2023/08/23/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37379", "reference_id": "CVE-2023-37379", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37379" }, { "reference_url": "https://github.com/advisories/GHSA-x2mh-8fmc-rqgh", "reference_id": "GHSA-x2mh-8fmc-rqgh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x2mh-8fmc-rqgh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31997?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32000?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-c5dx-r8gh-93fm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0" } ], "aliases": [ "CVE-2023-37379", "GHSA-x2mh-8fmc-rqgh", "PYSEC-2023-152" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ryct-uaw3-fyfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36435?format=api", "vulnerability_id": "VCID-suwt-h1ze-mydu", "summary": "Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/46c85ec11d224c133da6c45c1186c9aa498a7e75" }, { "reference_url": "https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e" }, { "reference_url": "https://github.com/apache/airflow/pull/30447", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/30447" }, { "reference_url": "https://github.com/apache/airflow/pull/30779", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/30779" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml" }, { "reference_url": "https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29247", "reference_id": "CVE-2023-29247", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29247" }, { "reference_url": "https://github.com/advisories/GHSA-vcf6-3wv2-5vcr", "reference_id": "GHSA-vcf6-3wv2-5vcr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vcf6-3wv2-5vcr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31987?format=api", "purl": "pkg:pypi/apache-airflow@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q4rb-1yt3-rqdk" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.0" } ], "aliases": [ "CVE-2023-29247", "GHSA-vcf6-3wv2-5vcr", "PYSEC-2023-60" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-suwt-h1ze-mydu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37186?format=api", "vulnerability_id": "VCID-t3ap-dzfp-1bd6", "summary": "In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.\n\nUsers are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/59688", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/59688" }, { "reference_url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/01/15/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/01/15/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675", "reference_id": "CVE-2025-68675", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675" }, { "reference_url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h", "reference_id": "GHSA-7c2f-r6gc-h92h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32056?format=api", "purl": "pkg:pypi/apache-airflow@2.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/47095?format=api", "purl": "pkg:pypi/apache-airflow@3.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6" } ], "aliases": [ "CVE-2025-68675", "GHSA-7c2f-r6gc-h92h", "PYSEC-2026-10" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36573?format=api", "vulnerability_id": "VCID-t476-g5u5-1yeh", "summary": "Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/34355", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/34355" }, { "reference_url": "https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42780", "reference_id": "CVE-2023-42780", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42780" }, { "reference_url": "https://github.com/advisories/GHSA-cgx2-rrmr-jx43", "reference_id": "GHSA-cgx2-rrmr-jx43", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cgx2-rrmr-jx43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42780", "GHSA-cgx2-rrmr-jx43", "PYSEC-2023-202" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t476-g5u5-1yeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36933?format=api", "vulnerability_id": "VCID-u5wv-47m4-8yd6", "summary": "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/43040", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/43040" }, { "reference_url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/11/15/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/11/15/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32047?format=api", "purl": "pkg:pypi/apache-airflow@2.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3" } ], "aliases": [ "CVE-2024-45784", "PYSEC-2024-182" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36817?format=api", "vulnerability_id": "VCID-x9ns-34nt-gfer", "summary": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. \n\nAirflow did not return \"Cache-Control\" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.\n\nThis issue affects Apache Airflow: before 2.9.2.\n\nUsers are recommended to upgrade to version 2.9.2, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/39550", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/39550" }, { "reference_url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/06/13/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/06/13/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32034?format=api", "purl": "pkg:pypi/apache-airflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2" } ], "aliases": [ "CVE-2024-25142", "PYSEC-2024-195" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36485?format=api", "vulnerability_id": "VCID-xh7u-8ze6-cqhk", "summary": "Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315" }, { "reference_url": "https://github.com/apache/airflow/pull/32060", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32060" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml" }, { "reference_url": "https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36543", "reference_id": "CVE-2023-36543", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36543" }, { "reference_url": "https://github.com/advisories/GHSA-3h4m-m55v-gx4m", "reference_id": "GHSA-3h4m-m55v-gx4m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3h4m-m55v-gx4m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-36543", "GHSA-3h4m-m55v-gx4m", "PYSEC-2023-106" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xh7u-8ze6-cqhk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36835?format=api", "vulnerability_id": "VCID-ydhm-m8vh-mber", "summary": "Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/40475", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/40475" }, { "reference_url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32036?format=api", "purl": "pkg:pypi/apache-airflow@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3" } ], "aliases": [ "CVE-2024-39863", "PYSEC-2024-189" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35967?format=api", "vulnerability_id": "VCID-gn6e-a1yp-g7dw", "summary": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-4jh2-3c85-q67h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4jh2-3c85-q67h" }, { "reference_url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45230", "reference_id": "CVE-2021-45230", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45230" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19932?format=api", "purl": "pkg:pypi/apache-airflow@2.0.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-9tq4-v733-hug3" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-due7-n14c-akfx" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-frbp-mhhr-8bdt" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-y7az-a4um-jqff" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.0.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/26396?format=api", "purl": "pkg:pypi/apache-airflow@2.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2fnz-jqpe-nuau" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-2ysx-9hz5-fyfm" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-4xax-xw67-2qfv" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5yxa-ubfq-fqdx" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6gjt-zsju-47a3" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-71hr-1ews-9qa6" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-b3w3-h9cm-ufgm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-ez45-qkb4-xkba" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-gz6e-b7dz-5qdf" }, { "vulnerability": "VCID-h6sp-398p-pbeg" }, { "vulnerability": "VCID-hah6-e5fc-juc5" }, { "vulnerability": "VCID-hy75-nfg7-zfae" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-kh46-xrgm-9udx" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pybp-gfy8-2qcr" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-q84t-8dac-93dm" }, { "vulnerability": "VCID-qehu-58hj-67gn" }, { "vulnerability": "VCID-qmpd-946c-gqbc" }, { "vulnerability": "VCID-qr9h-6dg8-gkh3" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-suwt-h1ze-mydu" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-xh7u-8ze6-cqhk" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.0" } ], "aliases": [ "CVE-2021-45230", "GHSA-4jh2-3c85-q67h", "PYSEC-2022-11" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gn6e-a1yp-g7dw" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.2.0" }