Page 8 of 74 results (0.004 seconds)

CVSS: 8.8EPSS: 26%CPEs: 1EXPL: 2

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. Una vulnerabilidad en Dags de ejemplo de Apache Airflow permite a un atacante con acceso a la interfaz de usuario que puede activar DAG ejecutar comandos arbitrarios a través del parámetro run_id proporcionado manualmente. Este problema afecta a las versiones de Apache Airflow Apache Airflow anteriores a la 2.4.0. • https://github.com/Mr-xn/CVE-2022-40127 https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE http://www.openwall.com/lists/oss-security/2022/11/14/2 https://github.com/apache/airflow/pull/25960 https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1. Una vulnerabilidad en la interfaz de usuario de Apache Airflow permite a un atacante ver secretos desenmascarados en valores de plantilla representados para tareas que no se ejecutaron (por ejemplo, cuando dependían de instancias pasadas y anteriores de la tarea que fallaron). Este problema afecta a Apache Airflow antes de la versión 2.3.1. • http://www.openwall.com/lists/oss-security/2022/11/14/3 https://github.com/apache/airflow/pull/22754 https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. En las versiones de Apache Airflow anteriores a la 2.4.2, la pantalla "Trigger DAG with config" era susceptible a ataques XSS a través del argumento de consulta "origin". • https://github.com/apache/airflow/pull/27143 https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. En las versiones de Apache Airflow anteriores a la 2.4.2, había una redirección abierta en el punto final `/confirm` del servidor web. • https://github.com/apache/airflow/pull/27143 https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. En Apache Airflow, versiones anteriores a 2.4.1, desactivar un usuario no impedía que un usuario ya autenticado pudiera seguir usando la Interfaz de Usuario o la API • https://github.com/apache/airflow/pull/26635 https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y • CWE-613: Insufficient Session Expiration •