apache-airflow

vulnerable: 3.1.0 ... 3.1.7rc2 (18 versions)

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgr…

vulnerable: 1.10.0 ... 3.1.7rc2 (268 versions)

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgr…

vulnerable: 1.10.0 ... 3.1.8rc2 (276 versions)

The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidental…

vulnerable: 1.10.0 ... 3.2.0rc2 (281 versions)

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. U…

vulnerable: 1.10.0 ... 3.2.0rc2 (281 versions)

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apa…

vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSO…

vulnerable: 1.10.0 ... 1.10.9rc1 (57 versions)

Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is inte…

vulnerable: 3.1.8, 3.2.0b1, 3.2.0b2, 3.2.0rc1, 3.2.0rc2

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. …

vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as…

vulnerable: 1.10.0 ... 3.2.0rc2 (282 versions)

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including…

vulnerable: 1.10.0 ... 3.2.0rc2 (282 versions)

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAG…