Shodan
Vulnerabilities
Vulnerable Software
Apache:  >> Airflow  >> 1.10.15  Security Vulnerabilities
CVE-2022-43982
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
CVSS Score
6.1
EPSS Score
0.008
Published
2022-11-02
CVE-2022-43985
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-11-02
CVE-2022-41672
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
CVSS Score
8.1
EPSS Score
0.002
Published
2022-10-07
CVE-2022-38170
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.
CVSS Score
4.7
EPSS Score
0.001
Published
2022-09-02
CVE-2021-45229
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.
CVSS Score
6.1
EPSS Score
0.047
Published
2022-02-25
CVE-2022-24288
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
CVSS Score
8.8
EPSS Score
0.918
Published
2022-02-25
CVE-2021-45230
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.
CVSS Score
6.5
EPSS Score
0.02
Published
2022-01-20
CVE-2021-35936
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.
CVSS Score
5.3
EPSS Score
0.001
Published
2021-08-16


Products
Pricing
Contact Us

Shodan ® - All rights reserved