CVE-2023-22887 – Apache Airflow path traversal by authenticated user
https://notcve.org/view.php?id=CVE-2023-22887
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32293 https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-35908 – Apache Airflow: Access to DAGs without relevant permission
https://notcve.org/view.php?id=CVE-2023-35908
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32014 https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw • CWE-863: Incorrect Authorization •
CVE-2023-25754 – Apache Airflow: Privilege escalation using airflow logs
https://notcve.org/view.php?id=CVE-2023-25754
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. • http://www.openwall.com/lists/oss-security/2023/05/08/2 https://github.com/apache/airflow/pull/29506 https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v • CWE-270: Privilege Context Switching Error •
CVE-2023-29247 – Stored XSS on Apache Airflow
https://notcve.org/view.php?id=CVE-2023-29247
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. • https://github.com/apache/airflow/pull/30447 https://github.com/apache/airflow/pull/30779 https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25695 – Information disclosure in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-25695
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. • https://github.com/apache/airflow/pull/29501 https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2 • CWE-209: Generation of Error Message Containing Sensitive Information •