Apache Airflow CVE: CVE-2021-29621: User enumeration in database authentication in Flask-AppBuilder <= 3.2.3.

Please find below the information about a vulnerability which has been addressed in Apache Airflow 2.1.0. Description: Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.

Airflow Providers (Amazon 2.3.0) released on Mon 11 Oct 17:18:55 CEST 2021 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. The source release, as well as the binary releases for all Providers are available here: https://airflow.apache.org/docs/apache-airflow-providers/installing-from-sources The Amazon

Airflow Providers released on 6th of December 2021 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. * apache-airflow-providers-amazon 2.5.0 * apache-airflow-providers-apache-druid 2.1.0 * apache-airflow-providers-apache-hdfs 2.2.0 * apache-airflow-providers-apache-hive 2.1.0 *

Airflow Providers released on Thu Nov 4

Dear community, I'm happy to announce that new versions of Airflow Providers packages were just released (18 packages in total were released in this wave). The source release, as well as the binary releases, are available here:

Airflow Providers released on Wed Jan 12 2022

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. Those are cncf.kubernetes 3.0.1, sftp 2.4.1. It was an ad-hoc release as follow-up from the December one. The source release, as well as the binary releases, are available here:

Airflow Providers released on Thu Mar 10 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. The source release, as well as the binary releases, are available here: https://airflow.apache.org/docs/apache-airflow-providers/installing-from-sources You can install the

Airflow Providers released on Fri, Feb 18 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. The source release, as well as the binary releases, are available here: https://airflow.apache.org/docs/apache-airflow-providers/installing-from-sources You can install the

Airflow Providers released on Sun Feb 13 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. The source release, as well as the binary releases, are available here: https://airflow.apache.org/docs/apache-airflow-providers/installing-from-sources You can install the

Airflow Providers released on Sat Mar 26 2022 are ready

I'm happy to announce that new versions of Airflow Providers packages were just released. Those are mostly released to rectify the problem with accidentally adding gitpython and wheel as dependency for all providers (but there are also a few bugfixes - notably cncf.kubernetes and elasticsearch

Airflow Providers released on 19th of March are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. The source release, as well as the binary releases, are available here: https://airflow.apache.org/docs/apache-airflow-providers/installing-from-sources You can install the

Airflow Providers released on Sat Mar 26 2022 are ready

I'm happy to announce that new versions of Airflow Providers packages were just released. Those are mostly released to rectify the problem with accidentally adding gitpython and wheel as dependency for all providers (but there are also a few bugfixes - notably cncf.kubernetes and elasticsearch

[ANNOUNCE] Airflow Providers released on Thu 6 Jan are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. The source release, as well as the binary releases, are available here: https://airflow.apache.org/docs/apache-airflow-providers/installing-from-sources You can install the

[ANNOUNCEMENT] New Airflow Providers released on Mon 11 Apr

Dear community, I'm happy to announce that new versions of Airflow Providers packages were just released. The mission of Apache Airflow is the creation and maintenance of software related to workflow automation and scheduling that can be used to author and manage data pipelines. Airflow

CVE-2023-46288: Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set

Severity: low Affected versions: - Apache Airflow 2.4.0 before 2.7.0 Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to

[ANNOUNCEMENT] New Airflow Providers released on Fri 22 Apr 2022

Dear Community, I'm happy to announce that new versions of Airflow Provider packages were just released. The mission of Apache Airflow is the creation and maintenance of software related to workflow automation and scheduling that can be used to author and manage data pipelines. Airflow Providers

[ANNOUNCE] New Airflow Providers released on Mon, 16 May, 2022

Dear community, I'm happy to announce that new versions of Airflow Providers packages were just released. The mission of Apache Airflow is the creation and maintenance of software related to workflow automation and scheduling that can be used to author and manage data pipelines. Airflow

Airflow Providers released on June 22, 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. This is an ad-hoc release of an important bug-fix version of 8.1.0 google provider and linked 3.1.0 oracle provider only. The source release, as well as the binary releases, are

[ANNOUNCE] New Airflow Providers released on Mon, 13 June, 2022

Dear community, I'm happy to announce that new versions of Airflow Providers packages were just released. The mission of Apache Airflow is the creation and maintenance of software related to workflow automation and scheduling that can be used to author and manage data pipelines. Airflow

Airflow Providers released on July 20, 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. This is an ad-hoc release of providers that were removed from previous release due to bugs found: https://pypi.org/project/apache-airflow-providers-tabular/1.0.1/

Airflow Providers released on July 17, 2022 are ready

Dear Airflow community, I 'm happy to announce that new versions of Airflow Providers packages were just released. This is more than a regular set of providers. We released 41 providers in total this month. Additionally to regular providers we released first version of Tabular provider and

Airflow Providers released on August 18, 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released: * common-sql: 1.1.0 * databricks: 3.2.0 This a follow up release with fixes of bugs in the RC candidates of those providers found during testing. The source release, as well as the

Airflow Providers released on October 06, 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. Those are two providers (google, slack) released with bug-fixes applied to problems found in the previous wave of packages. The source release, as well as the binary releases, are

Airflow Providers released on October 1, 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released: This is a regular release of a number of providers: * new major backwards-incompatible release of "amazon" * renamed jira provider to "atlassian-jira" (starting at 1.0.0 version).

Airflow Providers released on August 14, 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. This is a regular bugfix release of a number of providers but there are few notable ones: * new major backwards-incompatible releases of amazon, presto, trino, exasol, hive packages

CVE-2022-46421: Apache Airflow Hive Provider: Hive Provider RCE vulnerability with hive_cli_params

Severity: moderate Description: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0. Credit: id_No2015429 of 3H Security Team

[ANNOUNCE] Airflow Providers released on December 02, 2022 released

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. This was an ad-hoc release of three providers with bug-fixes necessary to release Airflow 2.5.0 (also released today): exasol (4.1.2), snowflake(4.0.2) and zendesk (4.2.0).

Airflow Providers relesead on 18th of November

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. This was a special release - this is the first wave of Airflow 2.3+ only providers - all subsequent release will only be compatible with Airflow 2.3 and you need to update to Airflow

Airflow Providers released on November 29, 2022 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. This is a follow-up release after the November release. Mostly it's about fixing problems we found after release with common.sql provider and its interaction with

CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to read arbitrary files

Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects

CVE-2022-38649: Apache Airflow Pinot Provider, Apache Airflow: PinotAdminHook Command Injection

Severity: moderate Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG

CVE-2022-40189: Apache Airlfow Pig Provider RCE

Severity: moderate Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG

CVE-2022-41131: Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)

Severity: moderate Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG

Re: CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to read arbitrary files

Just to add severity: moderate. On Mon, Nov 21, 2022 at 9:41 PM Jarek Potiuk wrote: > > Description: > > Improper Neutralization of Special Elements used in an OS Command ('OS > Command Injection') vulnerability in Apache Airflow Spark Provider, Apache > Airflow allows a

Re: CVE-2023-22884: Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow

Also we want to credit id_No2015429 of 3H Security Team for his reports for the same issue. J. On Mon, Jan 23, 2023 at 12:25 PM Jarek Potiuk wrote: > > Also we want to credit id_No2015429 of 3H Security Team for his reports for > the same issue. > > On Sat, Jan 21, 2023 a

CVE-2023-22884: Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow

Severity: important Description: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache

CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

Severity: low Description: A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. Mitigation:

CVE-2022-27949: Apache Airflow: sensitive values in rendered template

Severity: low Description: A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache

Re: CVE-2022-27949: Apache Airflow: sensitive values in rendered template

Additional info: Credit: Apache Airflow PMC would like to thank James Srinivasan for reporting it. On Mon, Nov 14, 2022 at 12:50 AM Jarek Potiuk wrote: > > Severity: low > > Description: > > A vulnerability in UI of Apache Airflow allows an attacker to view unmasked >

CVE-2023-25695: Information disclosure in Apache Airflow

Severity: low Description: Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. Credit: kuteminh11 (finder) References: https://github.com/apache/airflow/pull/29501

Re: CVE-2023-25691: Apache Airflow Google Provider: Google Cloud Sql Provider Remote Command Execution

Also we would like to credit Xie Jianming of Caiji Sec Team (finder of the issue) On Thu, Feb 23, 2023 at 6:16 PM Jarek Potiuk wrote: > > Severity: moderate > > Description: > > Improper Input Validation vulnerability in Apache Software Foundation Apache > Airflow Googl

CVE-2023-25692: Apache Airflow Google Provider: Google Cloud Sql Provider Denial Of Service

Severity: low Description: Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0. Credit: Xie Jianming of Caiji Sec Team (finder) References: https://github.com/apache/airflow/pull/29499

CVE-2023-25691: Apache Airflow Google Provider: Google Cloud Sql Provider Remote Command Execution

Severity: moderate Description: Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Google Provider.This issue affects Apache Airflow Google Provider: before 8.10.0. References: https://github.com/apache/airflow/pull/29497 https://airflow.apache.org/

CVE-2023-25693: Sqoop Apache Airflow Provider Remote Code Execution Vulnerability

Severity: moderate Description: Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. Credit: L3yx of Syclover Security Team (finder) References: https://github.com/apache/airflow/pull/29500

CVE-2023-25696: Apache Airflow Hive Provider Beeline RCE

Severity: moderate Description: Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. Credit: id_No2015429 of 3H Secruity Team (finder) References: https://github.com/apache/airflow/pull/29502

CVE-2023-25956: Apache Airflow AWS Provider: Arbitrary file read via AWS provider

Severity: moderate Description: Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1. Credit: Son Tran from VNPT - VCI (finder) References:

CVE-2023-28706: Apache Airflow Hive Provider Beeline Remote Command Execution

Severity: low Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 6.0.0. Credit: sw0rd1ight of Caiji Sec Team and 4ra1n of Chaitin Tech (finder)

CVE-2023-28710: Apache Airflow Spark Provider Arbitrary File Read via JDBC

Severity: low Description: Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1. Credit: Xie Jianming of Nsfocus (finder) References: https://github.com/apache/airflow/pull/30223

CVE-2023-28707: Airflow Apache Drill Provider Arbitrary File Read Vulnerability

Severity: low Description: Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. Credit: Kai Zhao of 3H Secruity Team (finder) References:

CVE-2023-39508: Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges

Severity: moderate Affected versions: - Apache Airflow before 2.6.0 Description: Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to

CVE-2023-25754: Apache Airflow: Privilege escalation using airflow logs

Severity: moderate Affected versions: - Apache Airflow before 2.6.0 Description: Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. Credit: ksw9...@naver.com (finder) References:

[ANNOUNCE] Apache Airflow Providers prepared on 12 December 2023 are released

Dear Community, I'm happy to announce that new versions of Airflow Providers packages were just released. https://pypi.org/project/apache-airflow-providers-odbc/4.3.0/ https://pypi.org/project/apache-airflow-providers-docker/3.9.0/

[ANNOUNCE] Apache Airflow Providers prepared on 28th December 2023 are releasedcccccbctlvggtjkkvhgtgdefghndgvtufdrhvndclclj

Dear community, I'm happy to announce that new versions of Airflow Providers packages prepared on 28th of December 2023 were just released. Full list of PyPI packages released is added at the end of the message. The source release, as well as the binary releases, are available here:

[ANNOUNCE] Apache Airflow Providers prepared on December 31, 2023 are released

Dear community, I'm happy to announce that new versions of Airflow Providers packages prepared on December 31, 2023 were just released. Full list of PyPI packages released is added at the end of the message. The source release, as well as the binary releases, are available here:

[ANNOUNCE] Apache Airflow Providers prepared on 23rd December 2023 are released

Dear community, I'm happy to announce that new versions of Airflow Providers packages were just released. There are 49 provider packages released this time. The full list follows at the end. The source release, as well as the binary releases, are available here:

[ANNOUNCE] Apache Airflow Providers prepared on January 26, 2024 are released

Dear community, I'm happy to announce that new versions of Airflow Providers packages prepared on January 26, 2024 were just released. Full list of PyPI packages released is added at the end of the message. The source release, as well as the binary releases, are available here:

CVE-2024-25128: Apache Airlfow Vulnerability: custom, long deprecated OpenID (NOT OIDC)

CVE-2024-25128: Vulnerability in custom, long deprecated OpenID (NOT OIDC) authentication method in Flask AppBuilder Severity: moderate Affected versions: - Apache Airflow before 2.8.2 Description: When Flask-AppBuilder configuration is set to ``AUTH_TYPE`` set to ``AUTH_OID``, it allows an

CVE-2024-29735: Apache Airflow: Potentially harmful permission changing by log task handler

Severity: important Affected versions: - Apache Airflow 2.8.2 through 2.8.3 Description: Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions

[ANNOUNCE] Apache Airflow Providers prepared on March 25, 2024 are released

Dear community, I'm happy to announce that new versions of Airflow Providers packages prepared on March 25. 2024 were just released. Full list of PyPI packages released is added at the end of the message. The source release, as well as the binary releases, are available here: