apache-airflow 2.7.1rc2 vulnerabilities

Known vulnerabilities in the apache-airflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Insertion of Sensitive Information into Log File apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of configuration variables belonging to other DAG author users. If these variables contain sensitive values, which is a fact out of the attacking user's control, they will be exposed. How to fix Insertion of Sensitive Information into Log File? Upgrade `apache-airflow` to version 2.10.3rc1 or higher.	[,2.10.3rc1)
M Uninitialized Memory Exposure apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Uninitialized Memory Exposure which allows authenticated users with audit log access to see sensitive unencrypted stored values set via the airflow CLI. Note: Users who are using the CLI to set secret variables are advised to manually delete entries with those variables from the log table. How to fix Uninitialized Memory Exposure? Upgrade `apache-airflow` to version 2.10.3 or higher.	[,2.10.3)
H Execution with Unnecessary Privileges apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the ability of DAG authors to add local settings to the DAG folder which then gets executed by the scheduler. An attacker can escalate privileges and execute arbitrary code by manipulating the DAG configuration files. This vulnerability is can be exploited by an attacker with DAG author permissions. How to fix Execution with Unnecessary Privileges? Upgrade `apache-airflow` to version 2.10.1 or higher.	[,2.10.1)
H Improper Encoding or Escaping of Output apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the `example_inlet_event_extra.py` DAG configuration. An attacker with `DAG` trigger permissions can execute arbitrary commands by exploiting this vulnerability. How to fix Improper Encoding or Escaping of Output? Upgrade `apache-airflow` to version 2.10.1 or higher.	[,2.10.1)
M Cross-site Scripting (XSS) apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the provider documentation link due to improper user input sanitization in the `get_doc_url_for_provider` function. By enticing a user to click on a maliciously crafted provider link, an attacker can execute scripts in the context of the user's browser session. How to fix Cross-site Scripting (XSS)? Upgrade `apache-airflow` to version 2.10.0 or higher.	[,2.10.0)
M Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') that allows an authenticated attacker to inject a malicious link into the provider installation process. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `apache-airflow` to version 2.9.3 or higher.	[,2.9.3)
H Improper Control of Generation of Code ('Code Injection') apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') which allows an authenticated `DAG` attacker to craft a `doc_md` parameter and execute arbitrary code in the scheduler context How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `apache-airflow` to version 2.9.3 or higher.	[2.4.0,2.9.3)
M Use of Web Browser Cache Containing Sensitive Information apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information by not returning the `Cache-Control` header for dynamic content. This allows sensitive data to be written to the local browser cache. How to fix Use of Web Browser Cache Containing Sensitive Information? Upgrade `apache-airflow` to version 2.9.2 or higher.	[,2.9.2)
H Improper Certificate Validation apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Certificate Validation for `FTP_TLS` connections, which are created without setting the proper context using `ssl.create_default_context()`. How to fix Improper Certificate Validation? Upgrade `apache-airflow` to version 2.9.0b1 or higher.	[,2.9.0b1)
M Information Exposure apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure via the `configuration` UI page. An attacker can see sensitive provider configuration by setting `webserver.expose_config` to `non-sensitive-only`, even though the celery provider is the only community provider currently that has sensitive configurations. Note: This is only exploitable if `webserver.expose_config` configuration is set to `non-sensitive-only`. How to fix Information Exposure? Upgrade `apache-airflow` to version 2.9.0 or higher.	[2.7.0,2.9.0)
M Incorrect Default Permissions apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Incorrect Default Permissions that allow Ops and Viewers users to view all information in audit logs, including DAG names and usernames they are not permitted to view. How to fix Incorrect Default Permissions? Upgrade `apache-airflow` to version 2.8.2rc1 or higher.	[,2.8.2rc1)
M Exposure of Resource to Wrong Sphere apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper permission checks in the API and UI components. An attacker can view DAG code and import errors for DAGs they are not authorized to access by exploiting this vulnerability. How to fix Exposure of Resource to Wrong Sphere? Upgrade `apache-airflow` to version 2.8.2 or higher.	[,2.8.2)
M Deserialization of Untrusted Data apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation of input during the deserialization process of XCom data. An attacker can execute arbitrary code by submitting crafted input that bypasses the protection of the `enable_xcom_pickling=False` configuration setting, leading to poisoned data after deserialization. How to fix Deserialization of Untrusted Data? Upgrade `apache-airflow` to version 2.8.1 or higher.	[,2.8.1)
M Missing Authorization apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Missing Authorization via the permission verification process. An attacker can read the source code of a DAG without having the proper permissions by exploiting this vulnerability. How to fix Missing Authorization? Upgrade `apache-airflow` to version 2.8.1 or higher.	[,2.8.1)
M Cross-site Request Forgery (CSRF) apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) that allows triggering a DAG in a GET request, by convincing a user who is authenticated to the Airflow UI to visit a malicious website in the same browser. How to fix Cross-site Request Forgery (CSRF)? Upgrade `apache-airflow` to version 2.8.0 or higher.	[2.7.0,2.8.0)
M Improper Access Control apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some `DAG`s, to craft a request that could give the user write access to various `DAG` resources that the user had no access to. NOTE: This was thought to be fixed in version 2.7.2, with the publication of CVE-2023-42792, but it was missed. How to fix Improper Access Control? Upgrade `apache-airflow` to version 2.8.0b1 or higher.	[,2.8.0b1)
M Cross-site Scripting (XSS) apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the parameter description field of a DAG. A DAG author can embed JavaScript, which can be executed on the client side when a user views the DAG details in the browser. This could lead to misleading information being displayed to the user. How to fix Cross-site Scripting (XSS)? Upgrade `apache-airflow` to version 2.8.0b1 or higher.	[2.6.0,2.8.0b1)
M Improper Access Control apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control via the `varimport` endpoint. A user who lacks the variable edit permission can edit a variable. How to fix Improper Access Control? Upgrade `apache-airflow` to version 2.8.0b1 or higher.	[,2.8.0b1)
M Incorrect Authorization apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Incorrect Authorization in `forms.py` that allows authenticated users with `DAG-view` permission to modify some DAG run detail values (such as configuration parameters, start date, etc.) when submitting notes. This vulnerability is the same one described by CVE-2023-40611, which has now been fixed. How to fix Incorrect Authorization? Upgrade `apache-airflow` to version 2.7.3 or higher.	[,2.7.3)
M Improper Access Control apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control in handling task instances. A user can read information about task instances in other DAGs. How to fix Improper Access Control? Upgrade `apache-airflow` to version 2.7.3 or higher.	[,2.7.3)
M Information Exposure apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure allowing an authenticated user to retrieve sensitive configuration information when the `expose_config` option is set to `non-sensitive-only`. Note: The `expose_config` option is `False` by default. How to fix Information Exposure? Upgrade `apache-airflow` to version 2.7.2 or higher.	[2.7.0,2.7.2)
M Improper Access Control apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control allowing authenticated users to list warnings for all DAGs, even if the user had no permission reveal the `dag_ids` and the stack-traces of import errors for those `DAG`s with import errors. How to fix Improper Access Control? Upgrade `apache-airflow` to version 2.7.2 or higher.	[,2.7.2)
M Improper Access Control apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some `DAG`s, to craft a request that could give the user write access to various `DAG` resources that the user had no access to. NOTE: This was thought to be fixed in version 2.7.2, but was missed and later addressed with the publication of CVE-2023-48291. How to fix Improper Access Control? Upgrade `apache-airflow` to version 2.7.2 or higher.	[,2.7.2)
M Information Exposure apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure due to the improper access control mechanism, an authorized user with read access to specific Directed Acyclic Graphs (DAGs) can access information about task instances in other DAGs. Note: This is only exploitable if the user has been granted read access to specific DAGs. How to fix Information Exposure? Upgrade `apache-airflow` to version 2.7.2 or higher.	[,2.7.2)
M Incorrect Authorization apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Incorrect Authorization in `forms.py` that allows authenticated users with `DAG-view` permission to modify some DAG run detail values (such as configuration parameters, start date, etc.) when submitting notes. NOTE: This vulnerability was originally marked as fixed in 2.7.1 but the fix did not make it into that version. It was subsequently fixed in 2.7.3 and also assigned CVE-2023-47037. How to fix Incorrect Authorization? Upgrade `apache-airflow` to version 2.7.3 or higher.	[,2.7.3)
M Information Exposure apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Information Exposure in a rendered template generated with `views.py` and `timezone.py`. Users who have access to see the task/dag in the UI can craft a URL, which could unmask the masked configuration of the task. How to fix Information Exposure? Upgrade `apache-airflow` to version 2.7.1 or higher.	[,2.7.1)

Vulnerability

Vulnerable Version

Insertion of Sensitive Information into Log File

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of configuration variables belonging to other DAG author users. If these variables contain sensitive values, which is a fact out of the attacking user's control, they will be exposed.

How to fix Insertion of Sensitive Information into Log File?

Upgrade apache-airflow to version 2.10.3rc1 or higher.

[,2.10.3rc1)

Uninitialized Memory Exposure

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure which allows authenticated users with audit log access to see sensitive unencrypted stored values set via the airflow CLI.

Note: Users who are using the CLI to set secret variables are advised to manually delete entries with those variables from the log table.

How to fix Uninitialized Memory Exposure?

Upgrade apache-airflow to version 2.10.3 or higher.

[,2.10.3)

Execution with Unnecessary Privileges

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the ability of DAG authors to add local settings to the DAG folder which then gets executed by the scheduler. An attacker can escalate privileges and execute arbitrary code by manipulating the DAG configuration files. This vulnerability is can be exploited by an attacker with DAG author permissions.

How to fix Execution with Unnecessary Privileges?

Upgrade apache-airflow to version 2.10.1 or higher.

[,2.10.1)

Improper Encoding or Escaping of Output

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the example_inlet_event_extra.py DAG configuration. An attacker with DAG trigger permissions can execute arbitrary commands by exploiting this vulnerability.

How to fix Improper Encoding or Escaping of Output?

Upgrade apache-airflow to version 2.10.1 or higher.

[,2.10.1)

Cross-site Scripting (XSS)

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the provider documentation link due to improper user input sanitization in the get_doc_url_for_provider function. By enticing a user to click on a maliciously crafted provider link, an attacker can execute scripts in the context of the user's browser session.

How to fix Cross-site Scripting (XSS)?

Upgrade apache-airflow to version 2.10.0 or higher.

[,2.10.0)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') that allows an authenticated attacker to inject a malicious link into the provider installation process.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade apache-airflow to version 2.9.3 or higher.

[,2.9.3)

Improper Control of Generation of Code ('Code Injection')

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') which allows an authenticated DAG attacker to craft a doc_md parameter and execute arbitrary code in the scheduler context

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade apache-airflow to version 2.9.3 or higher.

[2.4.0,2.9.3)

Use of Web Browser Cache Containing Sensitive Information

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information by not returning the Cache-Control header for dynamic content. This allows sensitive data to be written to the local browser cache.

How to fix Use of Web Browser Cache Containing Sensitive Information?

Upgrade apache-airflow to version 2.9.2 or higher.

[,2.9.2)

Improper Certificate Validation

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation for FTP_TLS connections, which are created without setting the proper context using ssl.create_default_context().

How to fix Improper Certificate Validation?

Upgrade apache-airflow to version 2.9.0b1 or higher.

[,2.9.0b1)

Information Exposure

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure via the configuration UI page. An attacker can see sensitive provider configuration by setting webserver.expose_config to non-sensitive-only, even though the celery provider is the only community provider currently that has sensitive configurations.

Note:

This is only exploitable if webserver.expose_config configuration is set to non-sensitive-only.

How to fix Information Exposure?

Upgrade apache-airflow to version 2.9.0 or higher.

[2.7.0,2.9.0)

Incorrect Default Permissions

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Default Permissions that allow Ops and Viewers users to view all information in audit logs, including DAG names and usernames they are not permitted to view.

How to fix Incorrect Default Permissions?

Upgrade apache-airflow to version 2.8.2rc1 or higher.

[,2.8.2rc1)

Exposure of Resource to Wrong Sphere

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper permission checks in the API and UI components. An attacker can view DAG code and import errors for DAGs they are not authorized to access by exploiting this vulnerability.

How to fix Exposure of Resource to Wrong Sphere?

Upgrade apache-airflow to version 2.8.2 or higher.

[,2.8.2)

Deserialization of Untrusted Data

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation of input during the deserialization process of XCom data. An attacker can execute arbitrary code by submitting crafted input that bypasses the protection of the enable_xcom_pickling=False configuration setting, leading to poisoned data after deserialization.

How to fix Deserialization of Untrusted Data?

Upgrade apache-airflow to version 2.8.1 or higher.

[,2.8.1)

Missing Authorization

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Missing Authorization via the permission verification process. An attacker can read the source code of a DAG without having the proper permissions by exploiting this vulnerability.

How to fix Missing Authorization?

Upgrade apache-airflow to version 2.8.1 or higher.

[,2.8.1)

Cross-site Request Forgery (CSRF)

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) that allows triggering a DAG in a GET request, by convincing a user who is authenticated to the Airflow UI to visit a malicious website in the same browser.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade apache-airflow to version 2.8.0 or higher.

[2.7.0,2.8.0)

Improper Access Control

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control allowing an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources that the user had no access to.

NOTE: This was thought to be fixed in version 2.7.2, with the publication of CVE-2023-42792, but it was missed.

How to fix Improper Access Control?

Upgrade apache-airflow to version 2.8.0b1 or higher.

[,2.8.0b1)

Cross-site Scripting (XSS)

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the parameter description field of a DAG. A DAG author can embed JavaScript, which can be executed on the client side when a user views the DAG details in the browser. This could lead to misleading information being displayed to the user.

How to fix Cross-site Scripting (XSS)?

Upgrade apache-airflow to version 2.8.0b1 or higher.

[2.6.0,2.8.0b1)

Improper Access Control

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control via the varimport endpoint. A user who lacks the variable edit permission can edit a variable.

How to fix Improper Access Control?

Upgrade apache-airflow to version 2.8.0b1 or higher.

[,2.8.0b1)

Incorrect Authorization

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Incorrect Authorization in forms.py that allows authenticated users with DAG-view permission to modify some DAG run detail values (such as configuration parameters, start date, etc.) when submitting notes.

This vulnerability is the same one described by CVE-2023-40611, which has now been fixed.

How to fix Incorrect Authorization?

Upgrade apache-airflow to version 2.7.3 or higher.

[,2.7.3)

Improper Access Control

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control in handling task instances. A user can read information about task instances in other DAGs.

How to fix Improper Access Control?

Upgrade apache-airflow to version 2.7.3 or higher.

[,2.7.3)

Information Exposure

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure allowing an authenticated user to retrieve sensitive configuration information when the expose_config option is set to non-sensitive-only.

Note: The expose_config option is False by default.

How to fix Information Exposure?

Upgrade apache-airflow to version 2.7.2 or higher.

[2.7.0,2.7.2)

Improper Access Control

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Access Control allowing authenticated users to list warnings for all DAGs, even if the user had no permission reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.

How to fix Improper Access Control?

Upgrade apache-airflow to version 2.7.2 or higher.

[,2.7.2)

Improper Access Control

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

NOTE: This was thought to be fixed in version 2.7.2, but was missed and later addressed with the publication of CVE-2023-48291.

How to fix Improper Access Control?

Upgrade apache-airflow to version 2.7.2 or higher.

[,2.7.2)

Information Exposure

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure due to the improper access control mechanism, an authorized user with read access to specific Directed Acyclic Graphs (DAGs) can access information about task instances in other DAGs.

Note: This is only exploitable if the user has been granted read access to specific DAGs.

How to fix Information Exposure?

Upgrade apache-airflow to version 2.7.2 or higher.

[,2.7.2)

Incorrect Authorization

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

NOTE: This vulnerability was originally marked as fixed in 2.7.1 but the fix did not make it into that version. It was subsequently fixed in 2.7.3 and also assigned CVE-2023-47037.

How to fix Incorrect Authorization?

Upgrade apache-airflow to version 2.7.3 or higher.

[,2.7.3)

Information Exposure

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure in a rendered template generated with views.py and timezone.py. Users who have access to see the task/dag in the UI can craft a URL, which could unmask the masked configuration of the task.

How to fix Information Exposure?

Upgrade apache-airflow to version 2.7.1 or higher.

[,2.7.1)

apache-airflow@2.7.1rc2 vulnerabilities

Programmatically author, schedule and monitor data pipelines

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?