Apache Airflow vulnerabilities

CVE-2024-41937 [MEDIUM] CWE-79 CVE-2024-41937: Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a maliciou Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, whic

CVE-2024-39877 [HIGH] CWE-94 CVE-2024-39877: Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG a Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

CVE-2024-39863 [MEDIUM] CWE-79 CVE-2024-39863: Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to i Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

CVE-2024-25142 [MEDIUM] CWE-525 CVE-2024-25142: Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.  Airflow Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upg

CVE-2024-32077 [MEDIUM] CWE-79 CVE-2024-32077: Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject mal Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.

CVE-2024-31869 [MEDIUM] CVE-2024-31869: Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see s Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate t

CVE-2024-29735 [MEDIUM] CWE-281 CVE-2024-29735: Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airfl Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the

CVE-2024-28746 [HIGH] CWE-281 CVE-2024-28746: Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with t

CVE-2024-26280 [MEDIUM] CWE-276 CVE-2024-26280: Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to

CVE-2024-27906 [MEDIUM] CWE-862 CVE-2024-27906: Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view D Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

CVE-2023-50943 [HIGH] CWE-502 CVE-2023-50943: Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to pois Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recomm

CVE-2023-50944 [MEDIUM] CWE-862 CVE-2023-50944: Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to acc Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.

CVE-2023-51702 [MEDIUM] CWE-312 CVE-2023-51702: Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configura

CVE-2023-49920 [MEDIUM] CWE-352 CVE-2023-49920: Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advise

CVE-2023-50783 [MEDIUM] CWE-284 CVE-2023-50783: Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated u Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue

CVE-2023-48291 [MEDIUM] CVE-2023-48291: Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authent Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-

CVE-2023-47265 [MEDIUM] CWE-79 CVE-2023-47265: Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exi

CVE-2023-42781 [MEDIUM] CVE-2023-42781: Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has ac Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the ris

CVE-2023-47037 [MEDIUM] CVE-2023-47037: We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then.  Apache We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date,

CVE-2023-46215 [HIGH] CWE-532 CVE-2023-46215: Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Ap Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Ai