Apache: >> Airflow >> 1.10.11 Security Vulnerabilities
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.
CVSS Score
7.7
EPSS Score
0.911
Published
2020-12-21
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-12-14
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
CVSS Score
5.3
EPSS Score
0.021
Published
2020-12-14
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.
CVSS Score
6.1
EPSS Score
0.102
Published
2020-12-11
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
CVSS Score
6.1
EPSS Score
0.172
Published
2020-09-17
Page 7