Page 3 of 67 results (0.003 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. Apache Airflow, versiones anteriores a la 2.7.2, contiene una vulnerabilidad de seguridad que permite a los usuarios autenticados de Airflow enumerar advertencias para todos los DAG, incluso si el usuario no tenía permiso para ver esos DAG. Revelaría los dag_ids y los seguimientos de la pila de memoria de errores de importación para aquellos DAG con errores de importación. Se recomienda a los usuarios de Apache Airflow que actualicen a la versión 2.7.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad. • https://github.com/apache/airflow/pull/34355 https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability. Apache Airflow, versiones anteriores a la 2.7.1, se ve afectada por una vulnerabilidad que permite a los usuarios autenticados que tienen acceso para ver la tarea/dag en la interfaz de usuario crear una URL, lo que podría llevar a desenmascarar la configuración secreta de la tarea que de otro modo estar enmascarado en la interfaz UI. Se recomienda encarecidamente a los usuarios que actualicen a la versión 2.7.1 o posterior, que ha eliminado la vulnerabilidad. • https://github.com/apache/airflow/pull/33512 https://github.com/apache/airflow/pull/33516 https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability. Apache Airflow, versiones anteriores a 2.7.1, se ve afectada por una vulnerabilidad que permite a los usuarios autenticados y autorizados para DAG-view modificar algunos valores de detalles de ejecución de DAG al enviar notas. Esto podría hacer que alteren detalles como los parámetros de configuración, la fecha de inicio, etc. Los usuarios deben actualizar a la versión 2.7.1 o posterior, que ha eliminado la vulnerabilidad. • http://www.openwall.com/lists/oss-security/2023/11/12/1 https://github.com/apache/airflow/pull/33413 https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0 • CWE-863: Incorrect Authorization •

CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate.  Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability Apache Airflow SMTP Provider antes de 1.3.0, Apache Airflow IMAP Provider antes de 3.3.0, y Apache Airflow antes de 2.7.0 están afectados por la vulnerabilidad Validation of OpenSSL Certificate. El contexto SSL por defecto con la librería SSL no comprobaba el certificado X.509 de un servidor. En su lugar, el código aceptaba cualquier certificado, lo que podía dar lugar a la revelación de credenciales del servidor de correo o del contenido del correo cuando el cliente se conectaba a un atacante en posición MITM. Se recomienda encarecidamente a los usuarios que actualicen a Apache Airflow versión 2.7.0 o posterior, Apache Airflow IMAP Provider versión 3.3.0 o posterior y Apache Airflow SMTP Provider versión 1.3.0 o posterior para mitigar el riesgo asociado a esta vulnerabilidad. • http://www.openwall.com/lists/oss-security/2023/08/23/2 https://github.com/apache/airflow/pull/33070 https://github.com/apache/airflow/pull/33075 https://github.com/apache/airflow/pull/33108 https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb • CWE-295: Improper Certificate Validation •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. Apache Airflow, en versiones anteriores a la 2.7.0, contiene una vulnerabilidad de seguridad que puede ser explotada por un usuario autenticado que posea privilegios de edición de conexión. • http://www.openwall.com/lists/oss-security/2023/08/23/4 https://github.com/apache/airflow/pull/32052 https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-400: Uncontrolled Resource Consumption CWE-918: Server-Side Request Forgery (SSRF) •