Page 7 of 71 results (0.010 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo ('inyección de comando del sistema operativo') en el proveedor Apache Airflow Pinot. • https://github.com/apache/airflow/pull/27641 https://lists.apache.org/thread/033o1gbc4ly6dpd2xf1o201v56fbl4dz • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. En las versiones de Apache Airflow anteriores a la 2.4.3, había una redirección abierta en el endpoint `/login` del servidor web. • http://www.openwall.com/lists/oss-security/2022/11/15/1 https://github.com/apache/airflow/pull/27576 https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 8.8EPSS: 26%CPEs: 1EXPL: 2

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. Una vulnerabilidad en Dags de ejemplo de Apache Airflow permite a un atacante con acceso a la interfaz de usuario que puede activar DAG ejecutar comandos arbitrarios a través del parámetro run_id proporcionado manualmente. Este problema afecta a las versiones de Apache Airflow Apache Airflow anteriores a la 2.4.0. • https://github.com/Mr-xn/CVE-2022-40127 https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE http://www.openwall.com/lists/oss-security/2022/11/14/2 https://github.com/apache/airflow/pull/25960 https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1. Una vulnerabilidad en la interfaz de usuario de Apache Airflow permite a un atacante ver secretos desenmascarados en valores de plantilla representados para tareas que no se ejecutaron (por ejemplo, cuando dependían de instancias pasadas y anteriores de la tarea que fallaron). Este problema afecta a Apache Airflow antes de la versión 2.3.1. • http://www.openwall.com/lists/oss-security/2022/11/14/3 https://github.com/apache/airflow/pull/22754 https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. En las versiones de Apache Airflow anteriores a la 2.4.2, la pantalla "Trigger DAG with config" era susceptible a ataques XSS a través del argumento de consulta "origin". • https://github.com/apache/airflow/pull/27143 https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •