RSS   Vulnerabilities for 'Airflow'   RSS

2020-09-17
 
CVE-2020-13944

CWE-79
 

 
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.

 
2020-07-17
 
CVE-2020-9485

CWE-79
 

 
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.

 
 
CVE-2020-11983

CWE-79
 

 
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.

 
 
CVE-2020-11982

CWE-502
 

 
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.

 
 
CVE-2020-11981

CWE-78
 

 
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

 
 
CVE-2020-11978

CWE-78
 

 
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

 
2020-01-14
 
CVE-2019-12398

CWE-79
 

 
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.

 
2019-04-10
 
CVE-2019-0229

CWE-352
 

 
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.

 
 
CVE-2019-0216

CWE-79
 

 
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.

 
2019-02-27
 
CVE-2018-20244

CWE-79
 

 
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.

 


Copyright 2020, cxsecurity.com

 

Back to Top