Airflow
Monthly
Apache Airflow 3.0.0 through 3.1.8 discloses XCom result values to users with only DAG Run read permissions (such as Viewer role), violating the FAB RBAC model that treats XCom as a protected resource. This information disclosure affects authenticated users and allows them to access sensitive execution results they should not be able to view. The vulnerability is not confirmed as actively exploited, and a patch is available in Apache Airflow 3.2.0.
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. User...
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. [CVSS 8.4 HIGH]
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. [CVSS 6.5 MEDIUM]
Apache Airflow 3.0.0 through 3.1.6 allows authenticated users with access to specific DAGs to view import error messages from other DAGs they lack permission to access, resulting in unintended information disclosure. An authenticated attacker can leverage this privilege escalation to gather sensitive information about other workflows and their configurations. Apache recommends upgrading to version 3.1.7 or later to remediate this vulnerability.
Airflow versions up to 3.1.6 contains a vulnerability that allows attackers to an authenticated user with custom permissions limited to task access to view tas (CVSS 6.5).
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or la...
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. [CVSS 7.5 HIGH]
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache Airflow 3.0.0 through 3.1.8 discloses XCom result values to users with only DAG Run read permissions (such as Viewer role), violating the FAB RBAC model that treats XCom as a protected resource. This information disclosure affects authenticated users and allows them to access sensitive execution results they should not be able to view. The vulnerability is not confirmed as actively exploited, and a patch is available in Apache Airflow 3.2.0.
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. User...
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. [CVSS 8.4 HIGH]
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. [CVSS 6.5 MEDIUM]
Apache Airflow 3.0.0 through 3.1.6 allows authenticated users with access to specific DAGs to view import error messages from other DAGs they lack permission to access, resulting in unintended information disclosure. An authenticated attacker can leverage this privilege escalation to gather sensitive information about other workflows and their configurations. Apache recommends upgrading to version 3.1.7 or later to remediate this vulnerability.
Airflow versions up to 3.1.6 contains a vulnerability that allows attackers to an authenticated user with custom permissions limited to task access to view tas (CVSS 6.5).
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or la...
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. [CVSS 7.5 HIGH]
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.