| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1fj3-3bdw-nbch |
| vulnerability_id |
VCID-1fj3-3bdw-nbch |
| summary |
Apache Airflow exposes sensitive information in its log files
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378 |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.11.1 |
| purl |
pkg:pypi/apache-airflow@2.11.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 6 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 9 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 10 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 11 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 12 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 13 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1 |
|
|
| aliases |
CVE-2025-27555, GHSA-8r55-rv5w-6pfm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1fj3-3bdw-nbch |
|
| 1 |
| url |
VCID-1w96-f72k-ryap |
| vulnerability_id |
VCID-1w96-f72k-ryap |
| summary |
A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2026-40861, CVE-2026-40861, PYSEC-2026-181
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1w96-f72k-ryap |
|
| 2 |
| url |
VCID-29g4-vwe3-2kh2 |
| vulnerability_id |
VCID-29g4-vwe3-2kh2 |
| summary |
Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidently logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data.
If you used Azure Service Bus connection with those values set or if you have other connections with those values storing senesitve values, you should upgrade Airflow to 3.1.8. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.1.8 |
| purl |
pkg:pypi/apache-airflow@3.1.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 2 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 3 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 4 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 5 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 6 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 9 |
| vulnerability |
VCID-e26f-ucw8-m7hf |
|
| 10 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 11 |
| vulnerability |
VCID-etmw-7eq5-mqa2 |
|
| 12 |
| vulnerability |
VCID-geg4-1kgh-akde |
|
| 13 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 14 |
| vulnerability |
VCID-ps4f-qrfn-myb8 |
|
| 15 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 16 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 17 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 18 |
| vulnerability |
VCID-xd5g-jkrd-67cr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8 |
|
|
| aliases |
CVE-2026-25219, GHSA-4g48-54q2-fg7q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-29g4-vwe3-2kh2 |
|
| 3 |
| url |
VCID-2ajq-ewgt-b7c5 |
| vulnerability_id |
VCID-2ajq-ewgt-b7c5 |
| summary |
Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL prompts and TaskInstance fields routinely carry operator parameters and free-form context attached to a task, the leak widens visibility of DAG-run data beyond the intended per-DAG RBAC boundary for every authenticated user.
Users are recommended to upgrade to version 3.2.1 , which fixes this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-38743, GHSA-p3v3-229h-mc63
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| url |
VCID-2xr2-w3hk-auck |
| vulnerability_id |
VCID-2xr2-w3hk-auck |
| summary |
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.
Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.2.0 |
| purl |
pkg:pypi/apache-airflow@3.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 2 |
| vulnerability |
VCID-2zj7-8yhg-8qen |
|
| 3 |
| vulnerability |
VCID-4nax-1d7y-1kbh |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 6 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 9 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 10 |
| vulnerability |
VCID-frvt-ng4a-jqfh |
|
| 11 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 12 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0 |
|
|
| aliases |
BIT-airflow-2026-25917, CVE-2026-25917, GHSA-6ffj-2wg2-w45j, PYSEC-2026-13
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck |
|
| 5 |
| url |
VCID-3h3z-bfsc-jqax |
| vulnerability_id |
VCID-3h3z-bfsc-jqax |
| summary |
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.
This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.
Users are recommended to upgrade to 2.8.0, which fixes this issue |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.0 |
| purl |
pkg:pypi/apache-airflow@2.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-4ga6-4111-dyc9 |
|
| 6 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 7 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 8 |
| vulnerability |
VCID-6vg9-hu9u-q7c3 |
|
| 9 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 10 |
| vulnerability |
VCID-835a-arqz-g7h7 |
|
| 11 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 12 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 13 |
| vulnerability |
VCID-amac-hqnj-xfgz |
|
| 14 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 15 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 16 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 17 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 18 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 19 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 20 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 21 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 22 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 23 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 24 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 25 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 26 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 27 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 28 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 29 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 30 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0 |
|
|
| aliases |
BIT-airflow-2023-50783, CVE-2023-50783, GHSA-5938-79hg-xh3q, PYSEC-2023-267
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3h3z-bfsc-jqax |
|
| 6 |
| url |
VCID-4ga6-4111-dyc9 |
| vulnerability_id |
VCID-4ga6-4111-dyc9 |
| summary |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/36257 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-26T15:48:59Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/36257 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.1rc1 |
| purl |
pkg:pypi/apache-airflow@2.8.1rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-4ga6-4111-dyc9 |
|
| 6 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 7 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 8 |
| vulnerability |
VCID-6vg9-hu9u-q7c3 |
|
| 9 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 10 |
| vulnerability |
VCID-835a-arqz-g7h7 |
|
| 11 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 12 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 13 |
| vulnerability |
VCID-amac-hqnj-xfgz |
|
| 14 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 15 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 16 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 17 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 18 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 19 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 20 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 21 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 22 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 23 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 24 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 25 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 26 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 27 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 28 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 29 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 30 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.8.1 |
| purl |
pkg:pypi/apache-airflow@2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-6vg9-hu9u-q7c3 |
|
| 8 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 9 |
| vulnerability |
VCID-835a-arqz-g7h7 |
|
| 10 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 11 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 12 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 13 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 14 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 15 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 16 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 17 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 18 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 19 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 20 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 21 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 22 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 23 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 24 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 25 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 26 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 27 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 28 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1 |
|
|
| aliases |
BIT-airflow-2023-50944, CVE-2023-50944, GHSA-vm5m-qmrx-fw8w, PYSEC-2024-14
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9 |
|
| 7 |
| url |
VCID-56eq-awhd-d3fr |
| vulnerability_id |
VCID-56eq-awhd-d3fr |
| summary |
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author.
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/41672 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T13:50:48Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/41672 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.10.1 |
| purl |
pkg:pypi/apache-airflow@2.10.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 6 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 7 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 8 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 9 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 10 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 11 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 12 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 13 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 14 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 15 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 16 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 17 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 18 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 19 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1 |
|
|
| aliases |
BIT-airflow-2024-45034, CVE-2024-45034, GHSA-92xg-gmrq-5c3w, PYSEC-2024-212
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr |
|
| 8 |
| url |
VCID-5jyk-dgtu-zfhd |
| vulnerability_id |
VCID-5jyk-dgtu-zfhd |
| summary |
Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2026-45360, CVE-2026-45360, PYSEC-2026-186
|
| risk_score |
3.3 |
| exploitability |
0.5 |
| weighted_severity |
6.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5jyk-dgtu-zfhd |
|
| 9 |
| url |
VCID-6vg9-hu9u-q7c3 |
| vulnerability_id |
VCID-6vg9-hu9u-q7c3 |
| summary |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.
Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/apache/airflow/pull/37290 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:43:33Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/37290 |
|
| 12 |
| reference_url |
https://github.com/apache/airflow/pull/37468 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:43:33Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/37468 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.2 |
| purl |
pkg:pypi/apache-airflow@2.8.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 8 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 9 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 10 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 11 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 12 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 13 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 14 |
| vulnerability |
VCID-egd2-gh55-qfgj |
|
| 15 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 16 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 17 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 18 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 19 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 20 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 21 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 22 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 23 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 24 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 25 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 26 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 27 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2 |
|
|
| aliases |
BIT-airflow-2024-27906, CVE-2024-27906, GHSA-6v6w-h8m6-7mv2, PYSEC-2024-245
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3 |
|
| 10 |
| url |
VCID-7a12-nqbv-7fe1 |
| vulnerability_id |
VCID-7a12-nqbv-7fe1 |
| summary |
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information.
The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.11.1 |
| purl |
pkg:pypi/apache-airflow@2.11.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 6 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 9 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 10 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 11 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 12 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 13 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1 |
|
|
| aliases |
CVE-2024-56373, GHSA-r837-hpv7-pc2f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7a12-nqbv-7fe1 |
|
| 11 |
| url |
VCID-835a-arqz-g7h7 |
| vulnerability_id |
VCID-835a-arqz-g7h7 |
| summary |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.
Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://github.com/apache/airflow/pull/37501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T15:36:34Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/37501 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
http://www.openwall.com/lists/oss-security/2024/03/01/1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T15:36:34Z/ |
|
|
| url |
http://www.openwall.com/lists/oss-security/2024/03/01/1 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.2 |
| purl |
pkg:pypi/apache-airflow@2.8.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 8 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 9 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 10 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 11 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 12 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 13 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 14 |
| vulnerability |
VCID-egd2-gh55-qfgj |
|
| 15 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 16 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 17 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 18 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 19 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 20 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 21 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 22 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 23 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 24 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 25 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 26 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 27 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2 |
|
|
| aliases |
BIT-airflow-2024-26280, CVE-2024-26280, GHSA-6xwf-xvf3-v459, PYSEC-2024-42
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7 |
|
| 12 |
| url |
VCID-91n6-evww-zybp |
| vulnerability_id |
VCID-91n6-evww-zybp |
| summary |
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/apache/airflow/pull/63028 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:56:44Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/63028 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.2.0 |
| purl |
pkg:pypi/apache-airflow@3.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 2 |
| vulnerability |
VCID-2zj7-8yhg-8qen |
|
| 3 |
| vulnerability |
VCID-4nax-1d7y-1kbh |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 6 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 9 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 10 |
| vulnerability |
VCID-frvt-ng4a-jqfh |
|
| 11 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 12 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0 |
|
|
| aliases |
BIT-airflow-2026-30912, CVE-2026-30912, GHSA-w7cf-2pmc-5m4c, PYSEC-2026-18
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp |
|
| 13 |
| url |
VCID-a64u-53x6-dfge |
| vulnerability_id |
VCID-a64u-53x6-dfge |
| summary |
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/40522 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-17T13:24:32Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/40522 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.9.3 |
| purl |
pkg:pypi/apache-airflow@2.9.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 8 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 9 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 10 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 11 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 12 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 13 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 14 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 15 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 16 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 17 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 18 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 19 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 20 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 21 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3 |
|
|
| aliases |
BIT-airflow-2024-39877, CVE-2024-39877, GHSA-g5hv-r743-v8pm, PYSEC-2024-190
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a64u-53x6-dfge |
|
| 14 |
| url |
VCID-amac-hqnj-xfgz |
| vulnerability_id |
VCID-amac-hqnj-xfgz |
| summary |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/36255 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:45Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/36255 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.1rc1 |
| purl |
pkg:pypi/apache-airflow@2.8.1rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-4ga6-4111-dyc9 |
|
| 6 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 7 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 8 |
| vulnerability |
VCID-6vg9-hu9u-q7c3 |
|
| 9 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 10 |
| vulnerability |
VCID-835a-arqz-g7h7 |
|
| 11 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 12 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 13 |
| vulnerability |
VCID-amac-hqnj-xfgz |
|
| 14 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 15 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 16 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 17 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 18 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 19 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 20 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 21 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 22 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 23 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 24 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 25 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 26 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 27 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 28 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 29 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 30 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@2.8.1 |
| purl |
pkg:pypi/apache-airflow@2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-6vg9-hu9u-q7c3 |
|
| 8 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 9 |
| vulnerability |
VCID-835a-arqz-g7h7 |
|
| 10 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 11 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 12 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 13 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 14 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 15 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 16 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 17 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 18 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 19 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 20 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 21 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 22 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 23 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 24 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 25 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 26 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 27 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 28 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1 |
|
|
| aliases |
BIT-airflow-2023-50943, CVE-2023-50943, GHSA-c3c6-f2ww-xfr2, PYSEC-2024-13
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz |
|
| 15 |
| url |
VCID-c5dx-r8gh-93fm |
| vulnerability_id |
VCID-c5dx-r8gh-93fm |
| summary |
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/38795 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-18T20:47:34Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/38795 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.9.0 |
| purl |
pkg:pypi/apache-airflow@2.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 8 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 9 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 10 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 11 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 12 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 13 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 14 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 15 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 16 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 17 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 18 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 19 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 20 |
| vulnerability |
VCID-u6f1-4134-hug1 |
|
| 21 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 22 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 23 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 24 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 25 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.0 |
|
|
| aliases |
CVE-2024-31869, GHSA-2522-mrjc-m688
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c5dx-r8gh-93fm |
|
| 16 |
| url |
VCID-dh4r-77xc-cbas |
| vulnerability_id |
VCID-dh4r-77xc-cbas |
| summary |
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.
This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-25693 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03621 |
| scoring_system |
epss |
| scoring_elements |
0.88032 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.03621 |
| scoring_system |
epss |
| scoring_elements |
0.88009 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.03621 |
| scoring_system |
epss |
| scoring_elements |
0.8803 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.03621 |
| scoring_system |
epss |
| scoring_elements |
0.88033 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-25693 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.1.1 |
| purl |
pkg:pypi/apache-airflow@3.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2b14-1bp2-gua6 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-5hxx-r2d2-9ybk |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 8 |
| vulnerability |
VCID-9j1n-cypf-p7g5 |
|
| 9 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 10 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 11 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 12 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 13 |
| vulnerability |
VCID-e26f-ucw8-m7hf |
|
| 14 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 15 |
| vulnerability |
VCID-etmw-7eq5-mqa2 |
|
| 16 |
| vulnerability |
VCID-ezmu-8g1y-e3hz |
|
| 17 |
| vulnerability |
VCID-geg4-1kgh-akde |
|
| 18 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 19 |
| vulnerability |
VCID-hkwf-65vr-dkfz |
|
| 20 |
| vulnerability |
VCID-knrd-atwy-gubn |
|
| 21 |
| vulnerability |
VCID-ps4f-qrfn-myb8 |
|
| 22 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 23 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 24 |
| vulnerability |
VCID-snqz-3f8t-syhd |
|
| 25 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 26 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 27 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 28 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1 |
|
|
| aliases |
CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas |
|
| 17 |
| url |
VCID-djdy-z9r3-s3a2 |
| vulnerability_id |
VCID-djdy-z9r3-s3a2 |
| summary |
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2026-48726, CVE-2026-48726, PYSEC-2026-187
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-djdy-z9r3-s3a2 |
|
| 18 |
| url |
VCID-ej1r-mp6n-gudd |
| vulnerability_id |
VCID-ej1r-mp6n-gudd |
| summary |
A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2026-45192, CVE-2026-45192, PYSEC-2026-173
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ej1r-mp6n-gudd |
|
| 19 |
| url |
VCID-gxvn-spkx-9qea |
| vulnerability_id |
VCID-gxvn-spkx-9qea |
| summary |
Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.
Users are recommended to upgrade to version 3.2.1, which fixes this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-40690, GHSA-w7rc-q6cm-f5gm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gxvn-spkx-9qea |
|
| 20 |
| url |
VCID-j86y-n37n-n7ft |
| vulnerability_id |
VCID-j86y-n37n-n7ft |
| summary |
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.
This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2
Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.0 |
| purl |
pkg:pypi/apache-airflow@2.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-4ga6-4111-dyc9 |
|
| 6 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 7 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 8 |
| vulnerability |
VCID-6vg9-hu9u-q7c3 |
|
| 9 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 10 |
| vulnerability |
VCID-835a-arqz-g7h7 |
|
| 11 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 12 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 13 |
| vulnerability |
VCID-amac-hqnj-xfgz |
|
| 14 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 15 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 16 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 17 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 18 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 19 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 20 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 21 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 22 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 23 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 24 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 25 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 26 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 27 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 28 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 29 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 30 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0 |
|
|
| aliases |
BIT-airflow-2023-48291, CVE-2023-48291, GHSA-8f57-wcmg-4jmh, PYSEC-2023-265
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j86y-n37n-n7ft |
|
| 21 |
| url |
VCID-mcbu-b45m-k3ck |
| vulnerability_id |
VCID-mcbu-b45m-k3ck |
| summary |
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/40933 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:36:00Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/40933 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.10.0 |
| purl |
pkg:pypi/apache-airflow@2.10.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-53rr-p2an-3bg9 |
|
| 6 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 7 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 8 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 9 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 10 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 11 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 12 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 13 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 14 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 15 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 16 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 17 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 18 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 19 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 20 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 21 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0 |
|
|
| aliases |
BIT-airflow-2024-41937, CVE-2024-41937, GHSA-w7cp-g8v7-r54m, PYSEC-2024-181
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck |
|
| 22 |
| url |
VCID-pu6f-xhvm-q3du |
| vulnerability_id |
VCID-pu6f-xhvm-q3du |
| summary |
A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path. |
| references |
|
| fixed_packages |
|
| aliases |
BIT-airflow-2026-42360, CVE-2026-42360, PYSEC-2026-172
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pu6f-xhvm-q3du |
|
| 23 |
| url |
VCID-qfsu-w1gc-6fcj |
| vulnerability_id |
VCID-qfsu-w1gc-6fcj |
| summary |
Apache Airflow error reporting may expose full kwargs
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.
The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.11.1 |
| purl |
pkg:pypi/apache-airflow@2.11.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 6 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 9 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 10 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 11 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 12 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 13 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@3.1.5rc1 |
| purl |
pkg:pypi/apache-airflow@3.1.5rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2b14-1bp2-gua6 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-5hxx-r2d2-9ybk |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 8 |
| vulnerability |
VCID-9j1n-cypf-p7g5 |
|
| 9 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 10 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 11 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 12 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 13 |
| vulnerability |
VCID-e26f-ucw8-m7hf |
|
| 14 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 15 |
| vulnerability |
VCID-etmw-7eq5-mqa2 |
|
| 16 |
| vulnerability |
VCID-ezmu-8g1y-e3hz |
|
| 17 |
| vulnerability |
VCID-geg4-1kgh-akde |
|
| 18 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 19 |
| vulnerability |
VCID-hkwf-65vr-dkfz |
|
| 20 |
| vulnerability |
VCID-knrd-atwy-gubn |
|
| 21 |
| vulnerability |
VCID-ps4f-qrfn-myb8 |
|
| 22 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 23 |
| vulnerability |
VCID-snqz-3f8t-syhd |
|
| 24 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 25 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 26 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 27 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.5rc1 |
|
|
| aliases |
CVE-2025-65995, GHSA-gfw7-2v73-69wg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qfsu-w1gc-6fcj |
|
| 24 |
| url |
VCID-t3ap-dzfp-1bd6 |
| vulnerability_id |
VCID-t3ap-dzfp-1bd6 |
| summary |
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.
Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.11.1 |
| purl |
pkg:pypi/apache-airflow@2.11.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 6 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 9 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 10 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 11 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 12 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 13 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1 |
|
| 1 |
| url |
pkg:pypi/apache-airflow@3.1.6 |
| purl |
pkg:pypi/apache-airflow@3.1.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2b14-1bp2-gua6 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-5hxx-r2d2-9ybk |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 8 |
| vulnerability |
VCID-9j1n-cypf-p7g5 |
|
| 9 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 10 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 11 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 12 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 13 |
| vulnerability |
VCID-e26f-ucw8-m7hf |
|
| 14 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 15 |
| vulnerability |
VCID-etmw-7eq5-mqa2 |
|
| 16 |
| vulnerability |
VCID-geg4-1kgh-akde |
|
| 17 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 18 |
| vulnerability |
VCID-hkwf-65vr-dkfz |
|
| 19 |
| vulnerability |
VCID-knrd-atwy-gubn |
|
| 20 |
| vulnerability |
VCID-ps4f-qrfn-myb8 |
|
| 21 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 22 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 23 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 24 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6 |
|
|
| aliases |
BIT-airflow-2025-68675, CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6 |
|
| 25 |
| url |
VCID-t7xp-8ua7-d7ff |
| vulnerability_id |
VCID-t7xp-8ua7-d7ff |
| summary |
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.
Users are advised to upgrade to version 2.8.0 or later which is not affected |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.8.0 |
| purl |
pkg:pypi/apache-airflow@2.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-4ga6-4111-dyc9 |
|
| 6 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 7 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 8 |
| vulnerability |
VCID-6vg9-hu9u-q7c3 |
|
| 9 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 10 |
| vulnerability |
VCID-835a-arqz-g7h7 |
|
| 11 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 12 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 13 |
| vulnerability |
VCID-amac-hqnj-xfgz |
|
| 14 |
| vulnerability |
VCID-c5dx-r8gh-93fm |
|
| 15 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 16 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 17 |
| vulnerability |
VCID-e5dn-tpzy-qqec |
|
| 18 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 19 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 20 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 21 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 22 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 23 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 24 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 25 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 26 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 27 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 28 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 29 |
| vulnerability |
VCID-x9ns-34nt-gfer |
|
| 30 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0 |
|
|
| aliases |
BIT-airflow-2023-49920, CVE-2023-49920, GHSA-6m9r-7wrx-xmr6, PYSEC-2023-266
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t7xp-8ua7-d7ff |
|
| 26 |
| url |
VCID-tbb9-myv7-a7h4 |
| vulnerability_id |
VCID-tbb9-myv7-a7h4 |
| summary |
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to.
Users are advised to upgrade to 3.1.7 or later, which resolves this issue |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.1.7 |
| purl |
pkg:pypi/apache-airflow@3.1.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 2 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 3 |
| vulnerability |
VCID-2b14-1bp2-gua6 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 6 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 7 |
| vulnerability |
VCID-9j1n-cypf-p7g5 |
|
| 8 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 9 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 10 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 11 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 12 |
| vulnerability |
VCID-e26f-ucw8-m7hf |
|
| 13 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 14 |
| vulnerability |
VCID-etmw-7eq5-mqa2 |
|
| 15 |
| vulnerability |
VCID-geg4-1kgh-akde |
|
| 16 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 17 |
| vulnerability |
VCID-hkwf-65vr-dkfz |
|
| 18 |
| vulnerability |
VCID-knrd-atwy-gubn |
|
| 19 |
| vulnerability |
VCID-ps4f-qrfn-myb8 |
|
| 20 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 21 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 22 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.7 |
|
|
| aliases |
BIT-airflow-2026-24098, CVE-2026-24098, GHSA-5g2w-9f8g-g5q7, PYSEC-2026-12
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tbb9-myv7-a7h4 |
|
| 27 |
| url |
VCID-u5wv-47m4-8yd6 |
| vulnerability_id |
VCID-u5wv-47m4-8yd6 |
| summary |
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.10.3 |
| purl |
pkg:pypi/apache-airflow@2.10.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 6 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 7 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 8 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 9 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 10 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 11 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 12 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 13 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 14 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 15 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 16 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 17 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3 |
|
|
| aliases |
BIT-airflow-2024-45784, CVE-2024-45784, GHSA-46c3-5xc5-wwhv, PYSEC-2024-182
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6 |
|
| 28 |
| url |
VCID-v7y9-5tsg-wyhe |
| vulnerability_id |
VCID-v7y9-5tsg-wyhe |
| summary |
Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
| reference_url |
https://github.com/apache/airflow/pull/43123 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 3 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-08T17:21:41Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/43123 |
|
| 3 |
| reference_url |
https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 3 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-08T17:21:41Z/ |
|
|
| url |
https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.10.3 |
| purl |
pkg:pypi/apache-airflow@2.10.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 6 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 7 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 8 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 9 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 10 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 11 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 12 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 13 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 14 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 15 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 16 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 17 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3 |
|
|
| aliases |
CVE-2024-50378, GHSA-j857-2pwm-jjmm
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v7y9-5tsg-wyhe |
|
| 29 |
| url |
VCID-w56f-fmkf-dkfv |
| vulnerability_id |
VCID-w56f-fmkf-dkfv |
| summary |
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4].
[1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html
[2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html
[3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html
[4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/
Users are recommended to upgrade to version 3.2.0, which fixes this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/58662 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:20:26Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/58662 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.2.0 |
| purl |
pkg:pypi/apache-airflow@3.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 2 |
| vulnerability |
VCID-2zj7-8yhg-8qen |
|
| 3 |
| vulnerability |
VCID-4nax-1d7y-1kbh |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 6 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 9 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 10 |
| vulnerability |
VCID-frvt-ng4a-jqfh |
|
| 11 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 12 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0 |
|
|
| aliases |
BIT-airflow-2025-66236, CVE-2025-66236, GHSA-j86x-fwp2-qh7v, PYSEC-2026-8
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w56f-fmkf-dkfv |
|
| 30 |
| url |
VCID-w5aw-fb9r-uydg |
| vulnerability_id |
VCID-w5aw-fb9r-uydg |
| summary |
Apache Airflow: RCE by race condition in example_xcom dag
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value
from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary
execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability.
It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however
users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of
the example with improved resiliance for that case.
Users who followed that pattern are advised to adjust their implementations accordingly. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.2.0 |
| purl |
pkg:pypi/apache-airflow@3.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 1 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 2 |
| vulnerability |
VCID-2zj7-8yhg-8qen |
|
| 3 |
| vulnerability |
VCID-4nax-1d7y-1kbh |
|
| 4 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 5 |
| vulnerability |
VCID-9ru4-qyks-hybs |
|
| 6 |
| vulnerability |
VCID-dhj9-usjr-nbfe |
|
| 7 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 8 |
| vulnerability |
VCID-dzfs-e5ys-fbhz |
|
| 9 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 10 |
| vulnerability |
VCID-frvt-ng4a-jqfh |
|
| 11 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 12 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0 |
|
|
| aliases |
CVE-2025-54550, GHSA-q2hg-643c-gw8h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w5aw-fb9r-uydg |
|
| 31 |
| url |
VCID-x9ns-34nt-gfer |
| vulnerability_id |
VCID-x9ns-34nt-gfer |
| summary |
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.
Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.
This issue affects Apache Airflow: before 2.9.2.
Users are recommended to upgrade to version 2.9.2, which fixes the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.9.2 |
| purl |
pkg:pypi/apache-airflow@2.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 8 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 9 |
| vulnerability |
VCID-a64u-53x6-dfge |
|
| 10 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 11 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 12 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 13 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 14 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 15 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 16 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 17 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 18 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 19 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 20 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 21 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 22 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
| 23 |
| vulnerability |
VCID-ydhm-m8vh-mber |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2 |
|
|
| aliases |
BIT-airflow-2024-25142, CVE-2024-25142, GHSA-9xpj-62mm-24h2, PYSEC-2024-195
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
5.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer |
|
| 32 |
| url |
VCID-ydhm-m8vh-mber |
| vulnerability_id |
VCID-ydhm-m8vh-mber |
| summary |
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/apache/airflow |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/airflow |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/airflow/pull/40475 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T19:39:48Z/ |
|
|
| url |
https://github.com/apache/airflow/pull/40475 |
|
| 4 |
|
| 5 |
| reference_url |
https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T19:39:48Z/ |
|
|
| url |
https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@2.9.3 |
| purl |
pkg:pypi/apache-airflow@2.9.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1fj3-3bdw-nbch |
|
| 1 |
| vulnerability |
VCID-1w96-f72k-ryap |
|
| 2 |
| vulnerability |
VCID-29g4-vwe3-2kh2 |
|
| 3 |
| vulnerability |
VCID-2ajq-ewgt-b7c5 |
|
| 4 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 5 |
| vulnerability |
VCID-56eq-awhd-d3fr |
|
| 6 |
| vulnerability |
VCID-5jyk-dgtu-zfhd |
|
| 7 |
| vulnerability |
VCID-7a12-nqbv-7fe1 |
|
| 8 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 9 |
| vulnerability |
VCID-dh4r-77xc-cbas |
|
| 10 |
| vulnerability |
VCID-djdy-z9r3-s3a2 |
|
| 11 |
| vulnerability |
VCID-ej1r-mp6n-gudd |
|
| 12 |
| vulnerability |
VCID-gxvn-spkx-9qea |
|
| 13 |
| vulnerability |
VCID-mcbu-b45m-k3ck |
|
| 14 |
| vulnerability |
VCID-pu6f-xhvm-q3du |
|
| 15 |
| vulnerability |
VCID-qfsu-w1gc-6fcj |
|
| 16 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 17 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 18 |
| vulnerability |
VCID-u5wv-47m4-8yd6 |
|
| 19 |
| vulnerability |
VCID-v7y9-5tsg-wyhe |
|
| 20 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
| 21 |
| vulnerability |
VCID-w5aw-fb9r-uydg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3 |
|
|
| aliases |
BIT-airflow-2024-39863, CVE-2024-39863, GHSA-j482-47xf-p25c, PYSEC-2024-189
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber |
|
|
|---|