CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39508 – Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges
https://notcve.org/view.php?id=CVE-2023-39508
05 Aug 2023 — Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0 This issue affects Apache Ai... • http://seclists.org/fulldisclosure/2023/Jul/43 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22888 – Apache Airflow: Scheduler remote DoS
https://notcve.org/view.php?id=CVE-2023-22888
12 Jul 2023 — Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32293 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36543 – Apache Airflow: ReDoS via dags function
https://notcve.org/view.php?id=CVE-2023-36543
12 Jul 2023 — Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32060 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46651 – Apache Airflow: Security vulnerability on AirFlow Connections
https://notcve.org/view.php?id=CVE-2022-46651
12 Jul 2023 — Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability. • https://github.com/apache/airflow/pull/32309 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22887 – Apache Airflow path traversal by authenticated user
https://notcve.org/view.php?id=CVE-2023-22887
12 Jul 2023 — Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32293 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35908 – Apache Airflow: Access to DAGs without relevant permission
https://notcve.org/view.php?id=CVE-2023-35908
12 Jul 2023 — Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32014 • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35005 – Apache Airflow: Information disclosure on configuration view
https://notcve.org/view.php?id=CVE-2023-35005
19 Jun 2023 — In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later. • https://github.com/apache/airflow/pull/31788 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25754 – Apache Airflow: Privilege escalation using airflow logs
https://notcve.org/view.php?id=CVE-2023-25754
08 May 2023 — Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. • http://www.openwall.com/lists/oss-security/2023/05/08/2 • CWE-270: Privilege Context Switching Error •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29247 – Stored XSS on Apache Airflow
https://notcve.org/view.php?id=CVE-2023-29247
08 May 2023 — Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. • https://github.com/apache/airflow/pull/30447 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25695 – Information disclosure in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-25695
15 Mar 2023 — Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. • https://github.com/apache/airflow/pull/29501 • CWE-209: Generation of Error Message Containing Sensitive Information •