CVE-2023-29247 – Stored XSS on Apache Airflow
https://notcve.org/view.php?id=CVE-2023-29247
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. • https://github.com/apache/airflow/pull/30447 https://github.com/apache/airflow/pull/30779 https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25695 – Information disclosure in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-25695
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. • https://github.com/apache/airflow/pull/29501 https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2023-22884 – Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow
https://notcve.org/view.php?id=CVE-2023-22884
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando ("Inyección de comando") en Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider. Este problema afecta a Apache Airflow: antes de 2.5.1; Apache Airflow MySQL Provider: anterior a 4.0.0. • https://github.com/jakabakos/CVE-2023-22884-Airflow-SQLi https://github.com/apache/airflow/pull/28811 https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2022-45402 – Apache Airflow: Open redirect during login
https://notcve.org/view.php?id=CVE-2022-45402
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. En las versiones de Apache Airflow anteriores a la 2.4.3, había una redirección abierta en el endpoint `/login` del servidor web. • http://www.openwall.com/lists/oss-security/2022/11/15/1 https://github.com/apache/airflow/pull/27576 https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2022-40127 – Apache Airflow <2.4.0 has an RCE in a bash example
https://notcve.org/view.php?id=CVE-2022-40127
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. Una vulnerabilidad en Dags de ejemplo de Apache Airflow permite a un atacante con acceso a la interfaz de usuario que puede activar DAG ejecutar comandos arbitrarios a través del parámetro run_id proporcionado manualmente. Este problema afecta a las versiones de Apache Airflow Apache Airflow anteriores a la 2.4.0. • https://github.com/Mr-xn/CVE-2022-40127 https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE http://www.openwall.com/lists/oss-security/2022/11/14/2 https://github.com/apache/airflow/pull/25960 https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy • CWE-94: Improper Control of Generation of Code ('Code Injection') •