CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45784 – Apache Airflow: Sensitive configuration values are not masked in the logs by default
https://notcve.org/view.php?id=CVE-2024-45784
15 Nov 2024 — Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exp... • https://github.com/apache/airflow/pull/43040 • CWE-1295: Debug Messages Revealing Unnecessary Information •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50378 – Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli
https://notcve.org/view.php?id=CVE-2024-50378
08 Nov 2024 — Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the C... • https://github.com/apache/airflow/pull/43123 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45034 – Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes
https://notcve.org/view.php?id=CVE-2024-45034
07 Sep 2024 — Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability. Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the schedul... • https://github.com/apache/airflow/pull/41672 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41937 – Apache Airflow: Stored XSS Vulnerability on provider link
https://notcve.org/view.php?id=CVE-2024-41937
21 Aug 2024 — Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-si... • https://github.com/apache/airflow/pull/40933 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25142 – Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache
https://notcve.org/view.php?id=CVE-2024-25142
14 Jun 2024 — Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue. Uso de la vulnerabilidad de caché del navegador web que contiene información confidencial en Apache Airflow. • https://github.com/apache/airflow/pull/39550 • CWE-525: Use of Web Browser Cache Containing Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32077 – Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
https://notcve.org/view.php?id=CVE-2024-32077
14 May 2024 — Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue. Apache Airflow versión 2.9.0 tiene una vulnerabilidad que permite a un atacante autenticado inyectar datos maliciosos en los registros de instancias de tareas. Se recomienda a los usuarios actualizar a la versión 2.9.1, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/05/14/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31869 – Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
https://notcve.org/view.php?id=CVE-2024-31869
18 Apr 2024 — Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/... • http://www.openwall.com/lists/oss-security/2024/04/17/10 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29735 – Apache Airflow: Potentially harmful permission changing by log task handler
https://notcve.org/view.php?id=CVE-2024-29735
26 Mar 2024 — Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in the home directory, ... • http://www.openwall.com/lists/oss-security/2024/03/26/2 • CWE-281: Improper Preservation of Permissions •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28746 – Apache Airflow: Ignored Airflow Permissions
https://notcve.org/view.php?id=CVE-2024-28746
14 Mar 2024 — Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability Apache Airflow, versiones 2.8.0 a 2.8.2, tiene una vulnerabilidad que permite a un usuario autenticado con permisos limitados acceder a recur... • http://www.openwall.com/lists/oss-security/2024/03/13/5 • CWE-281: Improper Preservation of Permissions •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26280 – Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs)
https://notcve.org/view.php?id=CVE-2024-26280
01 Mar 2024 — Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the... • http://www.openwall.com/lists/oss-security/2024/03/01/1 • CWE-276: Incorrect Default Permissions •