Page 11 of 112 results (0.007 seconds)

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it. This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/31984 https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj • CWE-20: Improper Input Validation •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0. • https://github.com/apache/airflow/pull/31713 https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later. • https://github.com/apache/airflow/pull/31788 https://github.com/apache/airflow/pull/31820 https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner.  Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. • https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. • http://www.openwall.com/lists/oss-security/2023/05/08/2 https://github.com/apache/airflow/pull/29506 https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v • CWE-270: Privilege Context Switching Error •