CoburnJoe opened a new issue #15570: URL: https://github.com/apache/airflow/issues/15570
Hi team! My organisation is using Airflow, and right now we are unable to comply with our security policies or use our standard build pipeline due to an insecure dependency version (Gunicorn) specified by Airflow. I've messaged the security@ email address, but as this is already a public vulnerability in Gunicorn, and not a proven exploit in Airflow, I was directed over here. Gunicorn request smuggling vulnerability. CVSS: https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-541164 Steps to replicate - Install Airflow - Use Pipenv or Safety Python packages to run a dependency check (pipenv check or safety check) - Airflow fails because Gunicorn is running an older version with a known vulnerability: 40104: gunicorn <20.0.1 resolved (19.10.0 installed)! Gunicorn 20.0.1 fixes chunked encoding support to prevent any request smuggling for security purposes. This issue is patched in Gunicorn 20.0.1 or higher. Your setup file specifies gunicorn>=19.5.0, <20.0 https://github.com/apache/airflow/blob/47cbff9ce06a927c318ec77b32d79876b6828071/setup.cfg#L102 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
