CVE-2023-35908 – Apache Airflow: Access to DAGs without relevant permission
https://notcve.org/view.php?id=CVE-2023-35908
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32014 https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw • CWE-863: Incorrect Authorization •
CVE-2023-35005 – Apache Airflow: Information disclosure on configuration view
https://notcve.org/view.php?id=CVE-2023-35005
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later. • https://github.com/apache/airflow/pull/31788 https://github.com/apache/airflow/pull/31820 https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-25754 – Apache Airflow: Privilege escalation using airflow logs
https://notcve.org/view.php?id=CVE-2023-25754
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. • http://www.openwall.com/lists/oss-security/2023/05/08/2 https://github.com/apache/airflow/pull/29506 https://lists.apache.org/thread/3y83gr0qb8t49ppfk4fb2yk7md8ltq4v • CWE-270: Privilege Context Switching Error •
CVE-2023-29247 – Stored XSS on Apache Airflow
https://notcve.org/view.php?id=CVE-2023-29247
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. • https://github.com/apache/airflow/pull/30447 https://github.com/apache/airflow/pull/30779 https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25695 – Information disclosure in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-25695
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. • https://github.com/apache/airflow/pull/29501 https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2 • CWE-209: Generation of Error Message Containing Sensitive Information •