CVE-2023-35005 – Apache Airflow: Information disclosure on configuration view
https://notcve.org/view.php?id=CVE-2023-35005
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later. • https://github.com/apache/airflow/pull/31788 https://github.com/apache/airflow/pull/31820 https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-25754 – Apache Airflow: Privilege escalation using airflow logs
https://notcve.org/view.php?id=CVE-2023-25754
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. • http://www.openwall.com/lists/oss-security/2023/05/08/2 https://github.com/apache/airflow/pull/29506 https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v • CWE-270: Privilege Context Switching Error •
CVE-2023-29247 – Stored XSS on Apache Airflow
https://notcve.org/view.php?id=CVE-2023-29247
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. • https://github.com/apache/airflow/pull/30447 https://github.com/apache/airflow/pull/30779 https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25695 – Information disclosure in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-25695
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. • https://github.com/apache/airflow/pull/29501 https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2023-22884 – Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-22884
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando ("Inyección de comando") en Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider. Este problema afecta a Apache Airflow: antes de 2.5.1; Apache Airflow MySQL Provider: anterior a 4.0.0. • https://github.com/jakabakos/CVE-2023-22884-Airflow-SQLi https://github.com/apache/airflow/pull/28811 https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •