Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-airflow@2.8.0
Typepypi
Namespace
Nameapache-airflow
Version2.8.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.2.0
Latest_non_vulnerable_version3.2.0
Affected_by_vulnerabilities
0
url VCID-2xr2-w3hk-auck
vulnerability_id VCID-2xr2-w3hk-auck
summary 
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/61641
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/61641
1
reference_url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/9
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url http://www.openwall.com/lists/oss-security/2026/04/17/9
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-25917, PYSEC-2026-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck
1
url VCID-4ga6-4111-dyc9
vulnerability_id VCID-4ga6-4111-dyc9
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
2
reference_url https://github.com/apache/airflow/pull/36257
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/36257
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
4
reference_url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
reference_id
reference_type
scores
url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
reference_id CVE-2023-50944
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
6
reference_url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
reference_id GHSA-vm5m-qmrx-fw8w
reference_type
scores
url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-4ga6-4111-dyc9
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-6vg9-hu9u-q7c3
4
vulnerability VCID-835a-arqz-g7h7
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-a64u-53x6-dfge
7
vulnerability VCID-amac-hqnj-xfgz
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-e5dn-tpzy-qqec
10
vulnerability VCID-mcbu-b45m-k3ck
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-x9ns-34nt-gfer
14
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-6vg9-hu9u-q7c3
3
vulnerability VCID-835a-arqz-g7h7
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-e5dn-tpzy-qqec
8
vulnerability VCID-mcbu-b45m-k3ck
9
vulnerability VCID-t3ap-dzfp-1bd6
10
vulnerability VCID-u5wv-47m4-8yd6
11
vulnerability VCID-x9ns-34nt-gfer
12
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50944, GHSA-vm5m-qmrx-fw8w, PYSEC-2024-14
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9
2
url VCID-56eq-awhd-d3fr
vulnerability_id VCID-56eq-awhd-d3fr
summary 
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. 
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/41672
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/41672
1
reference_url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
reference_id
reference_type
scores
url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
2
reference_url http://www.openwall.com/lists/oss-security/2024/09/06/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/09/06/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.1
purl pkg:pypi/apache-airflow@2.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-91n6-evww-zybp
2
vulnerability VCID-dh4r-77xc-cbas
3
vulnerability VCID-t3ap-dzfp-1bd6
4
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1
aliases CVE-2024-45034, PYSEC-2024-212
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr
3
url VCID-6vg9-hu9u-q7c3
vulnerability_id VCID-6vg9-hu9u-q7c3
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
2
reference_url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
3
reference_url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
4
reference_url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
5
reference_url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
6
reference_url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
7
reference_url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
8
reference_url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
9
reference_url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
10
reference_url https://github.com/apache/airflow/pull/37290
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37290
11
reference_url https://github.com/apache/airflow/pull/37468
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37468
12
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
13
reference_url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
reference_id
reference_type
scores
url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
14
reference_url http://www.openwall.com/lists/oss-security/2024/02/29/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/02/29/1
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
reference_id CVE-2024-27906
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
16
reference_url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
reference_id GHSA-6v6w-h8m6-7mv2
reference_type
scores
url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-a64u-53x6-dfge
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-e5dn-tpzy-qqec
6
vulnerability VCID-egd2-gh55-qfgj
7
vulnerability VCID-mcbu-b45m-k3ck
8
vulnerability VCID-t3ap-dzfp-1bd6
9
vulnerability VCID-u5wv-47m4-8yd6
10
vulnerability VCID-x9ns-34nt-gfer
11
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-27906, GHSA-6v6w-h8m6-7mv2, PYSEC-2024-245
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3
4
url VCID-835a-arqz-g7h7
vulnerability_id VCID-835a-arqz-g7h7
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
2
reference_url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
3
reference_url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
4
reference_url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
5
reference_url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
6
reference_url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
7
reference_url https://github.com/apache/airflow/pull/37501
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37501
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
9
reference_url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
reference_id
reference_type
scores
url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
reference_id CVE-2024-26280
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
11
reference_url https://github.com/advisories/GHSA-6xwf-xvf3-v459
reference_id GHSA-6xwf-xvf3-v459
reference_type
scores
url https://github.com/advisories/GHSA-6xwf-xvf3-v459
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-a64u-53x6-dfge
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-e5dn-tpzy-qqec
6
vulnerability VCID-egd2-gh55-qfgj
7
vulnerability VCID-mcbu-b45m-k3ck
8
vulnerability VCID-t3ap-dzfp-1bd6
9
vulnerability VCID-u5wv-47m4-8yd6
10
vulnerability VCID-x9ns-34nt-gfer
11
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-26280, GHSA-6xwf-xvf3-v459, PYSEC-2024-42
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7
5
url VCID-91n6-evww-zybp
vulnerability_id VCID-91n6-evww-zybp
summary In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/63028
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/63028
1
reference_url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/04/17/5
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-30912, PYSEC-2026-18
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp
6
url VCID-a64u-53x6-dfge
vulnerability_id VCID-a64u-53x6-dfge
summary Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/40522
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/40522
1
reference_url https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
2
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/7
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url http://www.openwall.com/lists/oss-security/2024/07/16/7
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.3
purl pkg:pypi/apache-airflow@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-dh4r-77xc-cbas
4
vulnerability VCID-mcbu-b45m-k3ck
5
vulnerability VCID-t3ap-dzfp-1bd6
6
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3
aliases CVE-2024-39877, PYSEC-2024-190
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a64u-53x6-dfge
7
url VCID-amac-hqnj-xfgz
vulnerability_id VCID-amac-hqnj-xfgz
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
2
reference_url https://github.com/apache/airflow/pull/36255
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/36255
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
4
reference_url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
reference_id
reference_type
scores
url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
reference_id CVE-2023-50943
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
6
reference_url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
reference_id GHSA-c3c6-f2ww-xfr2
reference_type
scores
url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-4ga6-4111-dyc9
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-6vg9-hu9u-q7c3
4
vulnerability VCID-835a-arqz-g7h7
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-a64u-53x6-dfge
7
vulnerability VCID-amac-hqnj-xfgz
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-e5dn-tpzy-qqec
10
vulnerability VCID-mcbu-b45m-k3ck
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-x9ns-34nt-gfer
14
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-6vg9-hu9u-q7c3
3
vulnerability VCID-835a-arqz-g7h7
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-e5dn-tpzy-qqec
8
vulnerability VCID-mcbu-b45m-k3ck
9
vulnerability VCID-t3ap-dzfp-1bd6
10
vulnerability VCID-u5wv-47m4-8yd6
11
vulnerability VCID-x9ns-34nt-gfer
12
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50943, GHSA-c3c6-f2ww-xfr2, PYSEC-2024-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz
8
url VCID-dh4r-77xc-cbas
vulnerability_id VCID-dh4r-77xc-cbas
summary 
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.

This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/29500
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/29500
2
reference_url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
reference_id CVE-2023-25693
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
4
reference_url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
reference_id GHSA-j69x-v4wc-3fpf
reference_type
scores
url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.1
purl pkg:pypi/apache-airflow@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2b14-1bp2-gua6
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5hxx-r2d2-9ybk
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-9j1n-cypf-p7g5
5
vulnerability VCID-etmw-7eq5-mqa2
6
vulnerability VCID-ezmu-8g1y-e3hz
7
vulnerability VCID-geg4-1kgh-akde
8
vulnerability VCID-hkwf-65vr-dkfz
9
vulnerability VCID-knrd-atwy-gubn
10
vulnerability VCID-snqz-3f8t-syhd
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-tbb9-myv7-a7h4
13
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1
aliases CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas
9
url VCID-e5dn-tpzy-qqec
vulnerability_id VCID-e5dn-tpzy-qqec
summary 
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. 

Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca
2
reference_url https://github.com/apache/airflow/pull/37881
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/37881
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml
4
reference_url https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7
reference_id
reference_type
scores
url https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28746
reference_id CVE-2024-28746
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-28746
6
reference_url https://github.com/advisories/GHSA-h574-6646-vfxx
reference_id GHSA-h574-6646-vfxx
reference_type
scores
url https://github.com/advisories/GHSA-h574-6646-vfxx
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.3rc1
purl pkg:pypi/apache-airflow@2.8.3rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-a64u-53x6-dfge
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-mcbu-b45m-k3ck
6
vulnerability VCID-t3ap-dzfp-1bd6
7
vulnerability VCID-u5wv-47m4-8yd6
8
vulnerability VCID-x9ns-34nt-gfer
9
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.3rc1
aliases CVE-2024-28746, GHSA-h574-6646-vfxx, PYSEC-2024-46
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e5dn-tpzy-qqec
10
url VCID-mcbu-b45m-k3ck
vulnerability_id VCID-mcbu-b45m-k3ck
summary 
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/40933
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://github.com/apache/airflow/pull/40933
1
reference_url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
2
reference_url http://www.openwall.com/lists/oss-security/2024/08/21/3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url http://www.openwall.com/lists/oss-security/2024/08/21/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.0
purl pkg:pypi/apache-airflow@2.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-dh4r-77xc-cbas
4
vulnerability VCID-t3ap-dzfp-1bd6
5
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0
aliases CVE-2024-41937, PYSEC-2024-181
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck
11
url VCID-t3ap-dzfp-1bd6
vulnerability_id VCID-t3ap-dzfp-1bd6
summary 
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/59688
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/59688
2
reference_url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
3
reference_url http://www.openwall.com/lists/oss-security/2026/01/15/6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/01/15/6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
reference_id CVE-2025-68675
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
5
reference_url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
reference_id GHSA-7c2f-r6gc-h92h
reference_type
scores
url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
fixed_packages
0
url pkg:pypi/apache-airflow@2.11.1
purl pkg:pypi/apache-airflow@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-91n6-evww-zybp
2
vulnerability VCID-dh4r-77xc-cbas
3
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1
1
url pkg:pypi/apache-airflow@3.1.6
purl pkg:pypi/apache-airflow@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2b14-1bp2-gua6
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5hxx-r2d2-9ybk
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-9j1n-cypf-p7g5
5
vulnerability VCID-etmw-7eq5-mqa2
6
vulnerability VCID-geg4-1kgh-akde
7
vulnerability VCID-hkwf-65vr-dkfz
8
vulnerability VCID-knrd-atwy-gubn
9
vulnerability VCID-tbb9-myv7-a7h4
10
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6
aliases CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6
12
url VCID-u5wv-47m4-8yd6
vulnerability_id VCID-u5wv-47m4-8yd6
summary Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
references
0
reference_url https://github.com/apache/airflow/pull/43040
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/43040
1
reference_url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
reference_id
reference_type
scores
url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
2
reference_url http://www.openwall.com/lists/oss-security/2024/11/15/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/11/15/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.3
purl pkg:pypi/apache-airflow@2.10.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-91n6-evww-zybp
2
vulnerability VCID-dh4r-77xc-cbas
3
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3
aliases CVE-2024-45784, PYSEC-2024-182
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6
13
url VCID-x9ns-34nt-gfer
vulnerability_id VCID-x9ns-34nt-gfer
summary 
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/39550
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/39550
1
reference_url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
2
reference_url http://www.openwall.com/lists/oss-security/2024/06/13/1
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2024/06/13/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.2
purl pkg:pypi/apache-airflow@2.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-a64u-53x6-dfge
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-mcbu-b45m-k3ck
6
vulnerability VCID-t3ap-dzfp-1bd6
7
vulnerability VCID-u5wv-47m4-8yd6
8
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2
aliases CVE-2024-25142, PYSEC-2024-195
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer
14
url VCID-ydhm-m8vh-mber
vulnerability_id VCID-ydhm-m8vh-mber
summary Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow/pull/40475
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://github.com/apache/airflow/pull/40475
1
reference_url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
2
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/6
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url http://www.openwall.com/lists/oss-security/2024/07/16/6
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.3
purl pkg:pypi/apache-airflow@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-56eq-awhd-d3fr
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-dh4r-77xc-cbas
4
vulnerability VCID-mcbu-b45m-k3ck
5
vulnerability VCID-t3ap-dzfp-1bd6
6
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3
aliases CVE-2024-39863, PYSEC-2024-189
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber
Fixing_vulnerabilities
0
url VCID-3h3z-bfsc-jqax
vulnerability_id VCID-3h3z-bfsc-jqax
summary 
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.
This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.
Users are recommended to upgrade to 2.8.0, which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929
2
reference_url https://github.com/apache/airflow/pull/33932
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://github.com/apache/airflow/pull/33932
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml
4
reference_url https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn
5
reference_url http://www.openwall.com/lists/oss-security/2023/12/21/4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url http://www.openwall.com/lists/oss-security/2023/12/21/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50783
reference_id CVE-2023-50783
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50783
7
reference_url https://github.com/advisories/GHSA-5938-79hg-xh3q
reference_id GHSA-5938-79hg-xh3q
reference_type
scores
url https://github.com/advisories/GHSA-5938-79hg-xh3q
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.0
purl pkg:pypi/apache-airflow@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-4ga6-4111-dyc9
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-6vg9-hu9u-q7c3
4
vulnerability VCID-835a-arqz-g7h7
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-a64u-53x6-dfge
7
vulnerability VCID-amac-hqnj-xfgz
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-e5dn-tpzy-qqec
10
vulnerability VCID-mcbu-b45m-k3ck
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-x9ns-34nt-gfer
14
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0
aliases CVE-2023-50783, GHSA-5938-79hg-xh3q, PYSEC-2023-267
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3h3z-bfsc-jqax
1
url VCID-j86y-n37n-n7ft
vulnerability_id VCID-j86y-n37n-n7ft
summary 
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.

This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 

Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c
2
reference_url https://github.com/apache/airflow/pull/34366
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://github.com/apache/airflow/pull/34366
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml
4
reference_url https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3
5
reference_url http://www.openwall.com/lists/oss-security/2023/12/21/1
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url http://www.openwall.com/lists/oss-security/2023/12/21/1
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48291
reference_id CVE-2023-48291
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-48291
7
reference_url https://github.com/advisories/GHSA-8f57-wcmg-4jmh
reference_id GHSA-8f57-wcmg-4jmh
reference_type
scores
url https://github.com/advisories/GHSA-8f57-wcmg-4jmh
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.0
purl pkg:pypi/apache-airflow@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-4ga6-4111-dyc9
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-6vg9-hu9u-q7c3
4
vulnerability VCID-835a-arqz-g7h7
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-a64u-53x6-dfge
7
vulnerability VCID-amac-hqnj-xfgz
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-e5dn-tpzy-qqec
10
vulnerability VCID-mcbu-b45m-k3ck
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-x9ns-34nt-gfer
14
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0
aliases CVE-2023-48291, GHSA-8f57-wcmg-4jmh, PYSEC-2023-265
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j86y-n37n-n7ft
2
url VCID-t7xp-8ua7-d7ff
vulnerability_id VCID-t7xp-8ua7-d7ff
summary 
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.
Users are advised to upgrade to version 2.8.0 or later which is not affected
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/f5d802791fa5f6b13b635f06a1ea2eccc22a9ba7
reference_id
reference_type
scores
url https://github.com/apache/airflow/commit/f5d802791fa5f6b13b635f06a1ea2eccc22a9ba7
2
reference_url https://github.com/apache/airflow/pull/36026
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://github.com/apache/airflow/pull/36026
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-266.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-266.yaml
4
reference_url https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq
5
reference_url http://www.openwall.com/lists/oss-security/2023/12/21/3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url http://www.openwall.com/lists/oss-security/2023/12/21/3
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49920
reference_id CVE-2023-49920
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-49920
7
reference_url https://github.com/advisories/GHSA-6m9r-7wrx-xmr6
reference_id GHSA-6m9r-7wrx-xmr6
reference_type
scores
url https://github.com/advisories/GHSA-6m9r-7wrx-xmr6
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.0b1
purl pkg:pypi/apache-airflow@2.8.0b1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-3h3z-bfsc-jqax
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-6vg9-hu9u-q7c3
5
vulnerability VCID-835a-arqz-g7h7
6
vulnerability VCID-91n6-evww-zybp
7
vulnerability VCID-a64u-53x6-dfge
8
vulnerability VCID-amac-hqnj-xfgz
9
vulnerability VCID-dh4r-77xc-cbas
10
vulnerability VCID-j86y-n37n-n7ft
11
vulnerability VCID-mcbu-b45m-k3ck
12
vulnerability VCID-t3ap-dzfp-1bd6
13
vulnerability VCID-u5wv-47m4-8yd6
14
vulnerability VCID-x9ns-34nt-gfer
15
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0b1
1
url pkg:pypi/apache-airflow@2.8.0
purl pkg:pypi/apache-airflow@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-4ga6-4111-dyc9
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-6vg9-hu9u-q7c3
4
vulnerability VCID-835a-arqz-g7h7
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-a64u-53x6-dfge
7
vulnerability VCID-amac-hqnj-xfgz
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-e5dn-tpzy-qqec
10
vulnerability VCID-mcbu-b45m-k3ck
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-x9ns-34nt-gfer
14
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0
aliases CVE-2023-49920, GHSA-6m9r-7wrx-xmr6, PYSEC-2023-266
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t7xp-8ua7-d7ff
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0