Hi Airflow community,
Please find below the information about a vulnerability which has been
addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I
would recommend users to upgrade to Airflow 1.10.14 (released yesterday):
*CVE-2020-17511: Apache Airflow Airflow admin password
Hi Airflow community,
Please find below the information about vulnerability which has been
addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I
would recommend users to upgrade to Airflow 1.10.14 (released yesterday):
*CVE-2020-17515: Apache Airflow Reflected XSS via Origin
Hi Airflow community,
Please find below the information about a vulnerability which has been
addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I
would recommend users to upgrade to Airflow 1.10.14 (released yesterday):
*CVE-2020-17513: Apache Airflow Server-Side Request
Hi community,
Please find below the information about a vulnerability which has been
addressed in Apache Airflow 2.0.2 and 1.10.15:
CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL
Description:
The "origin" parameter passed to some of the endpoints like '/trigger'
Hello all,
Please find below the information about a vulnerability which has been
addressed in Apache Airflow v2.0.1:
CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API
missed authentication check
Description:
The lineage endpoint of the deprecated Experimental API was
Software: Apache Airflow
Versions Affected: 2.0.0
Description:
Improper Access Control on Configurations Endpoint for the Stable API of Apache
Airflow allows users with Viewer or User role to get Airflow Configurations
including sensitive information even when `[webserver] expose_config` is
Description:
If remote logging is not used, the worker (in the case of CeleryExecutor) or
the scheduler (in the case of LocalExecutor) runs a Flask logging server and is
listening on a specific port and also binds on 0.0.0.0 by default.
This logging server had no authentication and allows
Description:
The variable import endpoint was not protected by authentication in Airflow
>=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to
add/modify Airflow variables used in DAGs, potentially
resulting in a denial of service, information disclosure or remote code
Dear community,
I'm happy to announce that Airflow 2.1.4 was just released.
The released sources and packages can be downloaded via
https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html
Other installation methods are described in
Dear community,
I'm happy to announce that Airflow 2.2.0 was just released.
The released sources and packages can be downloaded via
https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html
Other installation methods are described in
Description:
This CVE applies to a specific case where a User who has "can_create"
permissions on DAG Runs can create Dag Runs for dags that they don't have
"edit" permissions for.
This is a very low severity CVE and admins can mitigate this issue by removing
the global "can_create"
11 matches
Mail list logo