Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/32017?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/32017?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2rc2", "type": "pypi", "namespace": "", "name": "apache-airflow", "version": "2.8.2rc2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.2.2", "latest_non_vulnerable_version": "3.2.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51349?format=api", "vulnerability_id": "VCID-1w96-f72k-ryap", "summary": "A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/65325", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/65325" }, { "reference_url": "https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/05/31/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/05/31/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75455?format=api", "purl": "pkg:pypi/apache-airflow@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2" } ], "aliases": [ "CVE-2026-40861", "PYSEC-2026-181" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1w96-f72k-ryap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37294?format=api", "vulnerability_id": "VCID-2xr2-w3hk-auck", "summary": "Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/61641", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/61641" }, { "reference_url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25917", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25917" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2zj7-8yhg-8qen" }, { "vulnerability": "VCID-4nax-1d7y-1kbh" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-9ru4-qyks-hybs" }, { "vulnerability": "VCID-dhj9-usjr-nbfe" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-dzfs-e5ys-fbhz" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-frvt-ng4a-jqfh" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-25917", "GHSA-6ffj-2wg2-w45j", "PYSEC-2026-13" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36861?format=api", "vulnerability_id": "VCID-56eq-awhd-d3fr", "summary": "Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. \nUsers are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d" }, { "reference_url": "https://github.com/apache/airflow/pull/41672", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/41672" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml" }, { "reference_url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/09/06/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/09/06/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45034", "reference_id": "CVE-2024-45034", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45034" }, { "reference_url": "https://github.com/advisories/GHSA-92xg-gmrq-5c3w", "reference_id": "GHSA-92xg-gmrq-5c3w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-92xg-gmrq-5c3w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32042?format=api", "purl": "pkg:pypi/apache-airflow@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1" } ], "aliases": [ "CVE-2024-45034", "GHSA-92xg-gmrq-5c3w", "PYSEC-2024-212" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51370?format=api", "vulnerability_id": "VCID-5jyk-dgtu-zfhd", "summary": "Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/66737", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://github.com/apache/airflow/pull/66737" }, { "reference_url": "https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/05/31/12", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "http://www.openwall.com/lists/oss-security/2026/05/31/12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75455?format=api", "purl": "pkg:pypi/apache-airflow@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2" } ], "aliases": [ "CVE-2026-45360", "PYSEC-2026-186" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5jyk-dgtu-zfhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36744?format=api", "vulnerability_id": "VCID-6vg9-hu9u-q7c3", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b" }, { "reference_url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9" }, { "reference_url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7" }, { "reference_url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a" }, { "reference_url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326" }, { "reference_url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446" }, { "reference_url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24" }, { "reference_url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2" }, { "reference_url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4" }, { "reference_url": "https://github.com/apache/airflow/pull/37290", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/37290" }, { "reference_url": "https://github.com/apache/airflow/pull/37468", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/37468" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml" }, { "reference_url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/29/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/29/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906", "reference_id": "CVE-2024-27906", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27906" }, { "reference_url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2", "reference_id": "GHSA-6v6w-h8m6-7mv2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6v6w-h8m6-7mv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-27906", "GHSA-6v6w-h8m6-7mv2", "PYSEC-2024-245" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36745?format=api", "vulnerability_id": "VCID-835a-arqz-g7h7", "summary": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa" }, { "reference_url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99" }, { "reference_url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e" }, { "reference_url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d" }, { "reference_url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f" }, { "reference_url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c" }, { "reference_url": "https://github.com/apache/airflow/pull/37501", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/37501" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml" }, { "reference_url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/03/01/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/03/01/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280", "reference_id": "CVE-2024-26280", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280" }, { "reference_url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459", "reference_id": "GHSA-6xwf-xvf3-v459", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6xwf-xvf3-v459" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32019?format=api", "purl": "pkg:pypi/apache-airflow@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-e5dn-tpzy-qqec" }, { "vulnerability": "VCID-egd2-gh55-qfgj" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2" } ], "aliases": [ "CVE-2024-26280", "GHSA-6xwf-xvf3-v459", "PYSEC-2024-42" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37295?format=api", "vulnerability_id": "VCID-91n6-evww-zybp", "summary": "In case of SQL errors, exception/stack trace of errors was exposed in API even if \"api/expose_stack_traces\" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/63028", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/63028" }, { "reference_url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30912", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30912" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/17/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49522?format=api", "purl": "pkg:pypi/apache-airflow@3.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2zj7-8yhg-8qen" }, { "vulnerability": "VCID-4nax-1d7y-1kbh" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-9ru4-qyks-hybs" }, { "vulnerability": "VCID-dhj9-usjr-nbfe" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-dzfs-e5ys-fbhz" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-frvt-ng4a-jqfh" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0" } ], "aliases": [ "CVE-2026-30912", "GHSA-w7cf-2pmc-5m4c", "PYSEC-2026-18" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36836?format=api", "vulnerability_id": "VCID-a64u-53x6-dfge", "summary": "Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531" }, { "reference_url": "https://github.com/apache/airflow/pull/40522", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/40522" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml" }, { "reference_url": "https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39877", "reference_id": "CVE-2024-39877", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39877" }, { "reference_url": "https://github.com/advisories/GHSA-g5hv-r743-v8pm", "reference_id": "GHSA-g5hv-r743-v8pm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g5hv-r743-v8pm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32036?format=api", "purl": "pkg:pypi/apache-airflow@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3" } ], "aliases": [ "CVE-2024-39877", "GHSA-g5hv-r743-v8pm", "PYSEC-2024-190" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a64u-53x6-dfge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36389?format=api", "vulnerability_id": "VCID-dh4r-77xc-cbas", "summary": "Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.\n\nThis issue affects Apache Airflow Sqoop Provider versions before 3.1.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25693", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03621", "scoring_system": "epss", "scoring_elements": "0.88009", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25693" }, { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/29500", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/29500" }, { "reference_url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693", "reference_id": "CVE-2023-25693", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25693" }, { "reference_url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf", "reference_id": "GHSA-j69x-v4wc-3fpf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j69x-v4wc-3fpf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32098?format=api", "purl": "pkg:pypi/apache-airflow@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-9ru4-qyks-hybs" }, { "vulnerability": "VCID-dhj9-usjr-nbfe" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-dzfs-e5ys-fbhz" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-ezmu-8g1y-e3hz" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-snqz-3f8t-syhd" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1" } ], "aliases": [ "CVE-2023-25693", "GHSA-j69x-v4wc-3fpf", "PYSEC-2023-314" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51391?format=api", "vulnerability_id": "VCID-djdy-z9r3-s3a2", "summary": "A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/67289", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/67289" }, { "reference_url": "https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-57735", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2025-57735" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75455?format=api", "purl": "pkg:pypi/apache-airflow@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2" } ], "aliases": [ "CVE-2026-48726", "PYSEC-2026-187" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-djdy-z9r3-s3a2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36750?format=api", "vulnerability_id": "VCID-e5dn-tpzy-qqec", "summary": "Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. \n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca" }, { "reference_url": "https://github.com/apache/airflow/pull/37881", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/37881" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml" }, { "reference_url": "https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/03/13/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/03/13/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28746", "reference_id": "CVE-2024-28746", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28746" }, { "reference_url": "https://github.com/advisories/GHSA-h574-6646-vfxx", "reference_id": "GHSA-h574-6646-vfxx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h574-6646-vfxx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32020?format=api", "purl": "pkg:pypi/apache-airflow@2.8.3rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-x9ns-34nt-gfer" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.3rc1" } ], "aliases": [ "CVE-2024-28746", "GHSA-h574-6646-vfxx", "PYSEC-2024-46" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e5dn-tpzy-qqec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51334?format=api", "vulnerability_id": "VCID-ej1r-mp6n-gudd", "summary": "A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/66673", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/66673" }, { "reference_url": "https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/06/01/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2026/06/01/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75455?format=api", "purl": "pkg:pypi/apache-airflow@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2" } ], "aliases": [ "CVE-2026-45192", "PYSEC-2026-173" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ej1r-mp6n-gudd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36856?format=api", "vulnerability_id": "VCID-mcbu-b45m-k3ck", "summary": "Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.\nUsers should upgrade to 2.10.0 or later, which fixes this vulnerability.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98" }, { "reference_url": "https://github.com/apache/airflow/pull/40933", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/40933" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml" }, { "reference_url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/08/21/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/08/21/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41937", "reference_id": "CVE-2024-41937", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41937" }, { "reference_url": "https://github.com/advisories/GHSA-w7cp-g8v7-r54m", "reference_id": "GHSA-w7cp-g8v7-r54m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w7cp-g8v7-r54m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32040?format=api", "purl": "pkg:pypi/apache-airflow@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-53rr-p2an-3bg9" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0" } ], "aliases": [ "CVE-2024-41937", "GHSA-w7cp-g8v7-r54m", "PYSEC-2024-181" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51363?format=api", "vulnerability_id": "VCID-pu6f-xhvm-q3du", "summary": "A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.", "references": [ { "reference_url": "https://github.com/apache/airflow/pull/65906", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/apache/airflow/pull/65906" }, { "reference_url": "https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75455?format=api", "purl": "pkg:pypi/apache-airflow@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2" } ], "aliases": [ "CVE-2026-42360", "PYSEC-2026-172" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pu6f-xhvm-q3du" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37186?format=api", "vulnerability_id": "VCID-t3ap-dzfp-1bd6", "summary": "In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.\n\nUsers are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/59688", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/59688" }, { "reference_url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/01/15/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/01/15/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675", "reference_id": "CVE-2025-68675", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675" }, { "reference_url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h", "reference_id": "GHSA-7c2f-r6gc-h92h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c2f-r6gc-h92h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32056?format=api", "purl": "pkg:pypi/apache-airflow@2.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/47095?format=api", "purl": "pkg:pypi/apache-airflow@3.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2b14-1bp2-gua6" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5hxx-r2d2-9ybk" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-9j1n-cypf-p7g5" }, { "vulnerability": "VCID-9ru4-qyks-hybs" }, { "vulnerability": "VCID-dhj9-usjr-nbfe" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-dzfs-e5ys-fbhz" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-etmw-7eq5-mqa2" }, { "vulnerability": "VCID-geg4-1kgh-akde" }, { "vulnerability": "VCID-hkwf-65vr-dkfz" }, { "vulnerability": "VCID-knrd-atwy-gubn" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-tbb9-myv7-a7h4" }, { "vulnerability": "VCID-w56f-fmkf-dkfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6" } ], "aliases": [ "CVE-2025-68675", "GHSA-7c2f-r6gc-h92h", "PYSEC-2026-10" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36933?format=api", "vulnerability_id": "VCID-u5wv-47m4-8yd6", "summary": "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/pull/43040", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/43040" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml" }, { "reference_url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/11/15/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/11/15/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45784", "reference_id": "CVE-2024-45784", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45784" }, { "reference_url": "https://github.com/advisories/GHSA-46c3-5xc5-wwhv", "reference_id": "GHSA-46c3-5xc5-wwhv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-46c3-5xc5-wwhv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32047?format=api", "purl": "pkg:pypi/apache-airflow@2.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3" } ], "aliases": [ "CVE-2024-45784", "GHSA-46c3-5xc5-wwhv", "PYSEC-2024-182" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36817?format=api", "vulnerability_id": "VCID-x9ns-34nt-gfer", "summary": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. \n\nAirflow did not return \"Cache-Control\" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.\n\nThis issue affects Apache Airflow: before 2.9.2.\n\nUsers are recommended to upgrade to version 2.9.2, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3" }, { "reference_url": "https://github.com/apache/airflow/pull/39550", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/39550" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml" }, { "reference_url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/06/13/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/06/13/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25142", "reference_id": "CVE-2024-25142", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25142" }, { "reference_url": "https://github.com/advisories/GHSA-9xpj-62mm-24h2", "reference_id": "GHSA-9xpj-62mm-24h2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9xpj-62mm-24h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32034?format=api", "purl": "pkg:pypi/apache-airflow@2.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-a64u-53x6-dfge" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" }, { "vulnerability": "VCID-ydhm-m8vh-mber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2" } ], "aliases": [ "CVE-2024-25142", "GHSA-9xpj-62mm-24h2", "PYSEC-2024-195" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36835?format=api", "vulnerability_id": "VCID-ydhm-m8vh-mber", "summary": "Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/airflow", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow" }, { "reference_url": "https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58" }, { "reference_url": "https://github.com/apache/airflow/pull/40475", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/airflow/pull/40475" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml" }, { "reference_url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39863", "reference_id": "CVE-2024-39863", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39863" }, { "reference_url": "https://github.com/advisories/GHSA-j482-47xf-p25c", "reference_id": "GHSA-j482-47xf-p25c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j482-47xf-p25c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32036?format=api", "purl": "pkg:pypi/apache-airflow@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1w96-f72k-ryap" }, { "vulnerability": "VCID-2xr2-w3hk-auck" }, { "vulnerability": "VCID-56eq-awhd-d3fr" }, { "vulnerability": "VCID-5jyk-dgtu-zfhd" }, { "vulnerability": "VCID-91n6-evww-zybp" }, { "vulnerability": "VCID-dh4r-77xc-cbas" }, { "vulnerability": "VCID-djdy-z9r3-s3a2" }, { "vulnerability": "VCID-ej1r-mp6n-gudd" }, { "vulnerability": "VCID-mcbu-b45m-k3ck" }, { "vulnerability": "VCID-pu6f-xhvm-q3du" }, { "vulnerability": "VCID-t3ap-dzfp-1bd6" }, { "vulnerability": "VCID-u5wv-47m4-8yd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3" } ], "aliases": [ "CVE-2024-39863", "GHSA-j482-47xf-p25c", "PYSEC-2024-189" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2rc2" }