Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/31996?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "type": "pypi", "namespace": "", "name": "apache-airflow", "version": "2.6.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.2.0", "latest_non_vulnerable_version": "3.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37294?format=api", "vulnerability_id": "VCID-2xr2-w3hk-auck", "summary": "Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/61641", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/61641" }, { "reference_url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-25917", "PYSEC-2026-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36650?format=api", "vulnerability_id": "VCID-3h3z-bfsc-jqax", "summary": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.\nThis flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.\nUsers are recommended to upgrade to 2.8.0, which fixes this issue", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929" }, { "reference_url": "https://github.com/apache/airflow/pull/33932", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/apache/airflow/pull/33932" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml" }, { "reference_url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/21/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/21/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50783", "reference_id": "CVE-2023-50783", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50783" }, { "reference_url": "https://github.com/advisories/GHSA-5938-79hg-xh3q", "reference_id": "GHSA-5938-79hg-xh3q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5938-79hg-xh3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32013?format=api", "purl": "pkg:pypi/apache-airflow@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0" } ], "aliases": [ "CVE-2023-50783", "GHSA-5938-79hg-xh3q", "PYSEC-2023-267" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3h3z-bfsc-jqax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36700?format=api", "vulnerability_id": "VCID-4ga6-4111-dyc9", "summary": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1" }, { "reference_url": "https://github.com/apache/airflow/pull/36257", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/36257" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml" }, { "reference_url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50944", "reference_id": "CVE-2023-50944", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50944" }, { "reference_url": "https://github.com/advisories/GHSA-vm5m-qmrx-fw8w", "reference_id": "GHSA-vm5m-qmrx-fw8w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vm5m-qmrx-fw8w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32014?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32015?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1" } ], "aliases": [ "CVE-2023-50944", "GHSA-vm5m-qmrx-fw8w", "PYSEC-2024-14" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36861?format=api", "vulnerability_id": "VCID-56eq-awhd-d3fr", "summary": "Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. \nUsers are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/41672", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/41672" }, { "reference_url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/09/06/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/09/06/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32042?format=api", "purl": "pkg:pypi/apache-airflow@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1" } ], "aliases": [ "CVE-2024-45034", "PYSEC-2024-212" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36572?format=api", "vulnerability_id": "VCID-5cpd-kjpb-ekhv", "summary": "Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/34315", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/34315" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml" }, { "reference_url": "https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42663", "reference_id": "CVE-2023-42663", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42663" }, { "reference_url": "https://github.com/advisories/GHSA-32wr-qqw6-5mfp", "reference_id": "GHSA-32wr-qqw6-5mfp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-32wr-qqw6-5mfp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42663", "GHSA-32wr-qqw6-5mfp", "PYSEC-2023-197" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5cpd-kjpb-ekhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36544?format=api", "vulnerability_id": "VCID-5zmy-2ape-7qfa", "summary": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.\n\nUsers are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e" }, { "reference_url": "https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148" }, { "reference_url": "https://github.com/apache/airflow/pull/33512", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33512" }, { "reference_url": "https://github.com/apache/airflow/pull/33516", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33516" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml" }, { "reference_url": "https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40712", "reference_id": "CVE-2023-40712", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40712" }, { "reference_url": "https://github.com/advisories/GHSA-mjqh-v5f2-g2mw", "reference_id": "GHSA-mjqh-v5f2-g2mw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mjqh-v5f2-g2mw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32003?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1" } ], "aliases": [ "CVE-2023-40712", "GHSA-mjqh-v5f2-g2mw", "PYSEC-2023-171" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5zmy-2ape-7qfa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36744?format=api", "vulnerability_id": "VCID-6vg9-hu9u-q7c3", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b" }, { "reference_url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9" }, { "reference_url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7" }, { "reference_url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a" }, { "reference_url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326" }, { "reference_url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446" }, { "reference_url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24" }, { "reference_url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2" }, { "reference_url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4" }, { "reference_url": "https://github.com/apache/airflow/pull/37290", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37290" }, { "reference_url": "https://github.com/apache/airflow/pull/37468", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37468" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml" }, { "reference_url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/29/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/02/29/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906", "reference_id": "CVE-2024-27906", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906" }, { "reference_url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2", "reference_id": "GHSA-6v6w-h8m6-7mv2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-27906", "GHSA-6v6w-h8m6-7mv2", "PYSEC-2024-245" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36745?format=api", "vulnerability_id": "VCID-835a-arqz-g7h7", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa" }, { "reference_url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99" }, { "reference_url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e" }, { "reference_url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d" }, { "reference_url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f" }, { "reference_url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c" }, { "reference_url": "https://github.com/apache/airflow/pull/37501", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/37501" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml" }, { "reference_url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280", "reference_id": "CVE-2024-26280", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280" }, { "reference_url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459", "reference_id": "GHSA-6xwf-xvf3-v459", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-26280", "GHSA-6xwf-xvf3-v459", "PYSEC-2024-42" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37295?format=api", "vulnerability_id": "VCID-91n6-evww-zybp", "summary": "In case of SQL errors, exception/stack trace of errors was exposed in API even if \"api/expose_stack_traces\" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/63028", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/63028" }, { "reference_url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-30912", "PYSEC-2026-18" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36607?format=api", "vulnerability_id": "VCID-98yf-mvnw-d3b4", "summary": "Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome.\nUsers of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3" }, { "reference_url": "https://github.com/apache/airflow/pull/34939", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/34939" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml" }, { "reference_url": "https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42781", "reference_id": "CVE-2023-42781", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42781" }, { "reference_url": "https://github.com/advisories/GHSA-r7x6-xfcm-3mxv", "reference_id": "GHSA-r7x6-xfcm-3mxv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r7x6-xfcm-3mxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32007?format=api", "purl": "pkg:pypi/apache-airflow@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3" } ], "aliases": [ "CVE-2023-42781", "GHSA-r7x6-xfcm-3mxv", "PYSEC-2023-231" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-98yf-mvnw-d3b4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36836?format=api", "vulnerability_id": "VCID-a64u-53x6-dfge", "summary": "Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/40522", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/40522" }, { "reference_url": "https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32036?format=api", "purl": "pkg:pypi/apache-airflow@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3" } ], "aliases": [ "CVE-2024-39877", "PYSEC-2024-190" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a64u-53x6-dfge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36699?format=api", "vulnerability_id": "VCID-amac-hqnj-xfgz", "summary": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462" }, { "reference_url": "https://github.com/apache/airflow/pull/36255", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/36255" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml" }, { "reference_url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50943", "reference_id": "CVE-2023-50943", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50943" }, { "reference_url": "https://github.com/advisories/GHSA-c3c6-f2ww-xfr2", "reference_id": "GHSA-c3c6-f2ww-xfr2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c3c6-f2ww-xfr2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32014?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32015?format=api", "purl": "pkg:pypi/apache-airflow@2.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1" } ], "aliases": [ "CVE-2023-50943", "GHSA-c3c6-f2ww-xfr2", "PYSEC-2024-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36526?format=api", "vulnerability_id": "VCID-cahz-4dy7-bbe9", "summary": "The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).\n\nWith this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.\n\nUsers of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6" }, { "reference_url": "https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b" }, { "reference_url": "https://github.com/apache/airflow/pull/33347", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/33347" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml" }, { "reference_url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/08/23/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.openwall.com/lists/oss-security/2023/08/23/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40273", "reference_id": "CVE-2023-40273", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40273" }, { "reference_url": "https://github.com/advisories/GHSA-pm87-24wq-r8w9", "reference_id": "GHSA-pm87-24wq-r8w9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pm87-24wq-r8w9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31999?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/32001?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1" } ], "aliases": [ "CVE-2023-40273", "GHSA-pm87-24wq-r8w9", "PYSEC-2023-158" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cahz-4dy7-bbe9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36591?format=api", "vulnerability_id": "VCID-csqr-pdvv-gfbh", "summary": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0.\n\nSensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2).\n\nUsers are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/4a525e85e31b26d413c986c86d181114bb37bd06", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/4a525e85e31b26d413c986c86d181114bb37bd06" }, { "reference_url": "https://github.com/apache/airflow/pull/32261", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/32261" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-218.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-218.yaml" }, { "reference_url": "https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46288", "reference_id": "CVE-2023-46288", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46288" }, { "reference_url": "https://github.com/advisories/GHSA-9qqg-mh7c-chfq", "reference_id": "GHSA-9qqg-mh7c-chfq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9qqg-mh7c-chfq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32000?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-c5dx-r8gh-93fm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-46288", "GHSA-9qqg-mh7c-chfq", "PYSEC-2023-218" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-csqr-pdvv-gfbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36389?format=api", "vulnerability_id": "VCID-dh4r-77xc-cbas", "summary": "Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.\n\nThis issue affects Apache Airflow Sqoop Provider versions before 3.1.1.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/29500", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/apache/airflow/pull/29500" }, { "reference_url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693", "reference_id": "CVE-2023-25693", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693" }, { "reference_url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf", "reference_id": "GHSA-j69x-v4wc-3fpf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32098?format=api", "purl": "pkg:pypi/apache-airflow@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-ezmu-8g1y-e3hz" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-snqz-3f8t-syhd" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1" } ], "aliases": [ "CVE-2023-25693", "GHSA-j69x-v4wc-3fpf", "PYSEC-2023-314" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36608?format=api", "vulnerability_id": "VCID-fbjk-2uvy-mqfc", "summary": "We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. \n\nApache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. \n\nUsers should upgrade to version 2.7.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad" }, { "reference_url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef" }, { "reference_url": "https://github.com/apache/airflow/pull/33413", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33413" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml" }, { "reference_url": "https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47037", "reference_id": "CVE-2023-47037", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47037" }, { "reference_url": "https://github.com/advisories/GHSA-hm9r-7f84-25c9", "reference_id": "GHSA-hm9r-7f84-25c9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hm9r-7f84-25c9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32007?format=api", "purl": "pkg:pypi/apache-airflow@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3" } ], "aliases": [ "CVE-2023-47037", "GHSA-hm9r-7f84-25c9", "PYSEC-2023-232" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fbjk-2uvy-mqfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36651?format=api", "vulnerability_id": "VCID-j86y-n37n-n7ft", "summary": "Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nThis is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 \n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c" }, { "reference_url": "https://github.com/apache/airflow/pull/34366", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/34366" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml" }, { "reference_url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/21/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/21/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48291", "reference_id": "CVE-2023-48291", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48291" }, { "reference_url": "https://github.com/advisories/GHSA-8f57-wcmg-4jmh", "reference_id": "GHSA-8f57-wcmg-4jmh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8f57-wcmg-4jmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32013?format=api", "purl": "pkg:pypi/apache-airflow@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0" } ], "aliases": [ "CVE-2023-48291", "GHSA-8f57-wcmg-4jmh", "PYSEC-2023-265" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j86y-n37n-n7ft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36856?format=api", "vulnerability_id": "VCID-mcbu-b45m-k3ck", "summary": "Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.\nUsers should upgrade to 2.10.0 or later, which fixes this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/40933", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/40933" }, { "reference_url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/08/21/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/08/21/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32040?format=api", "purl": "pkg:pypi/apache-airflow@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0" } ], "aliases": [ "CVE-2024-41937", "PYSEC-2024-181" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36575?format=api", "vulnerability_id": "VCID-njyy-ywer-x7bf", "summary": "Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/34366", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://github.com/apache/airflow/pull/34366" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml" }, { "reference_url": "https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42792", "reference_id": "CVE-2023-42792", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42792" }, { "reference_url": "https://github.com/advisories/GHSA-j3w8-2p2h-mrr9", "reference_id": "GHSA-j3w8-2p2h-mrr9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j3w8-2p2h-mrr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42792", "GHSA-j3w8-2p2h-mrr9", "PYSEC-2023-203" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-njyy-ywer-x7bf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36545?format=api", "vulnerability_id": "VCID-pypb-cezm-rkb2", "summary": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.\n\nUsers should upgrade to version 2.7.1 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad" }, { "reference_url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef" }, { "reference_url": "https://github.com/apache/airflow/pull/33413", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/33413" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml" }, { "reference_url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611", "reference_id": "CVE-2023-40611", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611" }, { "reference_url": "https://github.com/advisories/GHSA-wpg8-mf6h-gm92", "reference_id": "GHSA-wpg8-mf6h-gm92", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wpg8-mf6h-gm92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32003?format=api", "purl": "pkg:pypi/apache-airflow@2.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1" } ], "aliases": [ "CVE-2023-40611", "GHSA-wpg8-mf6h-gm92", "PYSEC-2023-170" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pypb-cezm-rkb2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36527?format=api", "vulnerability_id": "VCID-ryct-uaw3-fyfc", "summary": "Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603" }, { "reference_url": "https://github.com/apache/airflow/pull/32052", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "https://github.com/apache/airflow/pull/32052" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml" }, { "reference_url": "https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/08/23/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } ], "url": "http://www.openwall.com/lists/oss-security/2023/08/23/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37379", "reference_id": "CVE-2023-37379", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37379" }, { "reference_url": "https://github.com/advisories/GHSA-x2mh-8fmc-rqgh", "reference_id": "GHSA-x2mh-8fmc-rqgh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x2mh-8fmc-rqgh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31997?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0b1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32000?format=api", "purl": "pkg:pypi/apache-airflow@2.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1jx5-34px-ukbz" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-c5dx-r8gh-93fm" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0" } ], "aliases": [ "CVE-2023-37379", "GHSA-x2mh-8fmc-rqgh", "PYSEC-2023-152" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ryct-uaw3-fyfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37186?format=api", "vulnerability_id": "VCID-t3ap-dzfp-1bd6", "summary": "In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.\n\nUsers are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/59688", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/59688" }, { "reference_url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/01/15/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/01/15/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675", "reference_id": "CVE-2025-68675", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675" }, { "reference_url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h", "reference_id": "GHSA-7c2f-r6gc-h92h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32056?format=api", "purl": "pkg:pypi/apache-airflow@2.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/47095?format=api", "purl": "pkg:pypi/apache-airflow@3.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6" } ], "aliases": [ "CVE-2025-68675", "GHSA-7c2f-r6gc-h92h", "PYSEC-2026-10" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36573?format=api", "vulnerability_id": "VCID-t476-g5u5-1yeh", "summary": "Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/34355", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/34355" }, { "reference_url": "https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42780", "reference_id": "CVE-2023-42780", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42780" }, { "reference_url": "https://github.com/advisories/GHSA-cgx2-rrmr-jx43", "reference_id": "GHSA-cgx2-rrmr-jx43", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cgx2-rrmr-jx43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32005?format=api", "purl": "pkg:pypi/apache-airflow@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t7xp-8ua7-d7ff" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2" } ], "aliases": [ "CVE-2023-42780", "GHSA-cgx2-rrmr-jx43", "PYSEC-2023-202" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t476-g5u5-1yeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36933?format=api", "vulnerability_id": "VCID-u5wv-47m4-8yd6", "summary": "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/43040", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/43040" }, { "reference_url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/11/15/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/11/15/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32047?format=api", "purl": "pkg:pypi/apache-airflow@2.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3" } ], "aliases": [ "CVE-2024-45784", "PYSEC-2024-182" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36652?format=api", "vulnerability_id": "VCID-wb11-e3rz-e3cf", "summary": "Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows to modify what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/0b995602e6e5894ee31625a4dd0e6aa255d2a651", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/0b995602e6e5894ee31625a4dd0e6aa255d2a651" }, { "reference_url": "https://github.com/apache/airflow/pull/35460", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/35460" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-264.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-264.yaml" }, { "reference_url": "https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/21/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/21/2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47265", "reference_id": "CVE-2023-47265", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47265" }, { "reference_url": "https://github.com/advisories/GHSA-pxch-wr7m-rwxj", "reference_id": "GHSA-pxch-wr7m-rwxj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pxch-wr7m-rwxj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32008?format=api", "purl": "pkg:pypi/apache-airflow@2.8.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0b1" } ], "aliases": [ "CVE-2023-47265", "GHSA-pxch-wr7m-rwxj", "PYSEC-2023-264" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wb11-e3rz-e3cf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36817?format=api", "vulnerability_id": "VCID-x9ns-34nt-gfer", "summary": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. \n\nAirflow did not return \"Cache-Control\" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.\n\nThis issue affects Apache Airflow: before 2.9.2.\n\nUsers are recommended to upgrade to version 2.9.2, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/39550", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/39550" }, { "reference_url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/06/13/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/06/13/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32034?format=api", "purl": "pkg:pypi/apache-airflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2" } ], "aliases": [ "CVE-2024-25142", "PYSEC-2024-195" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36835?format=api", "vulnerability_id": "VCID-ydhm-m8vh-mber", "summary": "Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/40475", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://github.com/apache/airflow/pull/40475" }, { "reference_url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32036?format=api", "purl": "pkg:pypi/apache-airflow@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3" } ], "aliases": [ "CVE-2024-39863", "PYSEC-2024-189" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36486?format=api", "vulnerability_id": "VCID-71hr-1ews-9qa6", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db" }, { "reference_url": "https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352" }, { "reference_url": "https://github.com/apache/airflow/pull/32014", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32014" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml" }, { "reference_url": "https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35908", "reference_id": "CVE-2023-35908", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35908" }, { "reference_url": "https://github.com/advisories/GHSA-2h84-3crq-vgfj", "reference_id": "GHSA-2h84-3crq-vgfj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2h84-3crq-vgfj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-35908", "GHSA-2h84-3crq-vgfj", "PYSEC-2023-119" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-71hr-1ews-9qa6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36484?format=api", "vulnerability_id": "VCID-ez45-qkb4-xkba", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8" }, { "reference_url": "https://github.com/apache/airflow/pull/32309", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32309" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml" }, { "reference_url": "https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46651", "reference_id": "CVE-2022-46651", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46651" }, { "reference_url": "https://github.com/advisories/GHSA-xvw9-3mhm-xjqq", "reference_id": "GHSA-xvw9-3mhm-xjqq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xvw9-3mhm-xjqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2022-46651", "GHSA-xvw9-3mhm-xjqq", "PYSEC-2023-103" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ez45-qkb4-xkba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36487?format=api", "vulnerability_id": "VCID-h6sp-398p-pbeg", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02" }, { "reference_url": "https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3" }, { "reference_url": "https://github.com/apache/airflow/pull/32293", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32293" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml" }, { "reference_url": "https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22887", "reference_id": "CVE-2023-22887", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22887" }, { "reference_url": "https://github.com/advisories/GHSA-ggwr-4vr8-g7wv", "reference_id": "GHSA-ggwr-4vr8-g7wv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggwr-4vr8-g7wv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-22887", "GHSA-ggwr-4vr8-g7wv", "PYSEC-2023-104" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h6sp-398p-pbeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36488?format=api", "vulnerability_id": "VCID-hy75-nfg7-zfae", "summary": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/05bd90f563649f2e9c8f0c85cf5838315a665a02" }, { "reference_url": "https://github.com/apache/airflow/pull/32293", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32293" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-105.yaml" }, { "reference_url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22888", "reference_id": "CVE-2023-22888", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22888" }, { "reference_url": "https://github.com/advisories/GHSA-5946-8p38-vffp", "reference_id": "GHSA-5946-8p38-vffp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5946-8p38-vffp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-22888", "GHSA-5946-8p38-vffp", "PYSEC-2023-105" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hy75-nfg7-zfae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36485?format=api", "vulnerability_id": "VCID-xh7u-8ze6-cqhk", "summary": "Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315" }, { "reference_url": "https://github.com/apache/airflow/pull/32060", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/airflow/pull/32060" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml" }, { "reference_url": "https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36543", "reference_id": "CVE-2023-36543", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36543" }, { "reference_url": "https://github.com/advisories/GHSA-3h4m-m55v-gx4m", "reference_id": "GHSA-3h4m-m55v-gx4m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3h4m-m55v-gx4m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31996?format=api", "purl": "pkg:pypi/apache-airflow@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-3h3z-bfsc-jqax" }, { "vulnerability": "VCID-4ga6-4111-dyc9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5cpd-kjpb-ekhv" }, { "vulnerability": "VCID-5zmy-2ape-7qfa" }, { "vulnerability": "VCID-6vg9-hu9u-q7c3" }, { "vulnerability": "VCID-835a-arqz-g7h7" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-98yf-mvnw-d3b4" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-amac-hqnj-xfgz" }, { "vulnerability": "VCID-cahz-4dy7-bbe9" }, { "vulnerability": "VCID-csqr-pdvv-gfbh" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-fbjk-2uvy-mqfc" }, { "vulnerability": "VCID-j86y-n37n-n7ft" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-njyy-ywer-x7bf" }, { "vulnerability": "VCID-pypb-cezm-rkb2" }, { "vulnerability": "VCID-ryct-uaw3-fyfc" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-t476-g5u5-1yeh" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-wb11-e3rz-e3cf" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" } ], "aliases": [ "CVE-2023-36543", "GHSA-3h4m-m55v-gx4m", "PYSEC-2023-106" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xh7u-8ze6-cqhk" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.3" }