CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2023-22884 – Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-22884
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando ("Inyección de comando") en Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider. Este problema afecta a Apache Airflow: antes de 2.5.1; Apache Airflow MySQL Provider: anterior a 4.0.0. • https://github.com/jakabakos/CVE-2023-22884-Airflow-SQLi https://github.com/apache/airflow/pull/28811 https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45402 – Apache Airflow: Open redirect during login
https://notcve.org/view.php?id=CVE-2022-45402
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. En las versiones de Apache Airflow anteriores a la 2.4.3, había una redirección abierta en el endpoint `/login` del servidor web. • http://www.openwall.com/lists/oss-security/2022/11/15/1 https://github.com/apache/airflow/pull/27576 https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 26%CPEs: 1EXPL: 2CVE-2022-40127 – Apache Airflow <2.4.0 has an RCE in a bash example
https://notcve.org/view.php?id=CVE-2022-40127
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. Una vulnerabilidad en Dags de ejemplo de Apache Airflow permite a un atacante con acceso a la interfaz de usuario que puede activar DAG ejecutar comandos arbitrarios a través del parámetro run_id proporcionado manualmente. Este problema afecta a las versiones de Apache Airflow Apache Airflow anteriores a la 2.4.0. • https://github.com/Mr-xn/CVE-2022-40127 https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE http://www.openwall.com/lists/oss-security/2022/11/14/2 https://github.com/apache/airflow/pull/25960 https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43982 – Apache Airflow prior to 2.4.2 allows reflected XSS via Origin Query Argument in URL
https://notcve.org/view.php?id=CVE-2022-43982
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. En las versiones de Apache Airflow anteriores a la 2.4.2, la pantalla "Trigger DAG with config" era susceptible a ataques XSS a través del argumento de consulta "origin". • https://github.com/apache/airflow/pull/27143 https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43985 – Apache Airflow prior to 2.4.2 has an open redirect
https://notcve.org/view.php?id=CVE-2022-43985
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. En las versiones de Apache Airflow anteriores a la 2.4.2, había una redirección abierta en el punto final `/confirm` del servidor web. • https://github.com/apache/airflow/pull/27143 https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •