Hi Airflow Dev Team,
We are using airflow v1.10.10 at Salesforce. We ran NexusIQ and found the
following vulnerabilities in packages used in airflow:
*1. package:* moment:2.11.2
*vulnerabilities:* sonatype-2016-0105, sonatype-2017-0422
*description:* CVE-2017-18214
<https://nvd.nist.gov/vuln/detail/CVE-2017-18214> has been assigned to
sonatype-2017-0422.
*remediation:* upgrade to 2.19.3
*2.* *package: *jquery:1.7.2
*vulnerabilities:* sonatype-2012-0009, sonatype-2014-0026,
sonatype-2019-0115, sonatype-2020-0187
*description:* CVE-2012-6708
<https://nvd.nist.gov/vuln/detail/CVE-2012-6708> has been assigned to
sonatype-2012-0009, CVE-2019-11358
<https://nvd.nist.gov/vuln/detail/CVE-2019-11358> has been assigned to
sonatype-2019-0115, CVE-2020-11022
<https://nvd.nist.gov/vuln/detail/CVE-2020-11022> has been assigned to
sonatype-2020-0187
*remediation:* upgrade to 3.5.0
*3.* CVE-2017-15720 <https://nvd.nist.gov/vuln/detail/CVE-2017-15720>
*description: *Vendor has a reason to believe that this vulnerability
applies to airflow v1.10.10
We wanted to know that can these packages be upgraded (1 and 2) to resolve
the vulnerabilities, and also we would really appreciate it if the team can
verify #3. Please let us know how we can provide help in this regard. We
have attached vulnerability reports with this email.
Thanks,
- MALIK
Software Engineering SMTS | Salesforce
