CVE-2020-17511: Apache Airflow Airflow admin password gets logged in plain text

Hi Airflow community, Please find below the information about a vulnerability which has been addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I would recommend users to upgrade to Airflow 1.10.14 (released yesterday): *CVE-2020-17511: Apache Airflow Airflow admin password

Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515

Hi Airflow community, Please find below the information about vulnerability which has been addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I would recommend users to upgrade to Airflow 1.10.14 (released yesterday): *CVE-2020-17515: Apache Airflow Reflected XSS via Origin

CVE-2020-17513: Apache Airflow Server-Side Request Forgery (SSRF) in Charts & Query View

Hi Airflow community, Please find below the information about a vulnerability which has been addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I would recommend users to upgrade to Airflow 1.10.14 (released yesterday): *CVE-2020-17513: Apache Airflow Server-Side Request

Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL

Hi community, Please find below the information about a vulnerability which has been addressed in Apache Airflow 2.0.2 and 1.10.15: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL Description: The "origin" parameter passed to some of the endpoints like '/trigger'

CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check

Hello all, Please find below the information about a vulnerability which has been addressed in Apache Airflow v2.0.1: CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check Description: The lineage endpoint of the deprecated Experimental API was

CVE-2021-26559: Apache Airflow: CWE-284 Privilege Escalation Attack

Software: Apache Airflow Versions Affected: 2.0.0 Description: Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is

CVE-2021-35936: Apache Airflow: No Authentication on Logging Server

Description: If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows

CVE-2021-38540: Apache Airflow: Variable Import endpoint missed authentication check

Description: The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code

[ANNOUNCE] Apache Airflow 2.1.4 is released

Dear community, I'm happy to announce that Airflow 2.1.4 was just released. The released sources and packages can be downloaded via https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html Other installation methods are described in

[ANNOUNCE] Airflow 2.2.0 is released

Dear community, I'm happy to announce that Airflow 2.2.0 was just released. The released sources and packages can be downloaded via https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html Other installation methods are described in

CVE-2021-45230: Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver

Description: This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for. This is a very low severity CVE and admins can mitigate this issue by removing the global "can_create"