Amogh Desai

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.0 **Description** Dag Authors can craft an XCom payload that allows the webserver to execute arbitrary code, bypassing the restriction that normally prevents them from executing code in the webserver context. **Recommendations** Upgrade to Apache Airflow 3.2.0.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.0 **Description** Dag Authors can craft a malicious XCom payload that allows them to execute arbitrary code within the webserver context, bypassing the standard restriction that prevents them from executing code in that environment. **Recommendations** Upgrade to Apache Airflow 3.2.0.

**Name of the Vulnerable Software and Affected Versions** Airflow versions prior to 3.2.0 **Description** Lack of clarity regarding the responsibilities of the Deployment Manager in ensuring secure deployments. Certain assumptions about the security model, workload isolation, and JWT authentication were not explicit enough, which could lead to insecure configurations. The Deployment Manager is ultimately responsible for securing the deployment. **Recommendations** Upgrade to version 3.2.0.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.1.6 **Description** When rendered template fields in a Dag exceed `max templated field length`, sensitive values could be exposed in cleartext in the Rendered Templates UI. This is due to the serialization of these fields using a secrets masker instance that did not include user-registered `mask secret()` patterns, resulting in unreliable masking of secrets before truncation and display. **Recommendations** Upgrade to version 3.1.6 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.1.4 **Description** A flaw exists in Apache Airflow where authenticated users of the user interface could view secret values within rendered templates. This occurred because secrets were not properly redacted, potentially granting unauthorized access to sensitive information. **Recommendations** Upgrade to version 3.1.4 to resolve this issue.

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions before 2.10.3 Description: The issue is related to the exposure of sensitive configuration variables in task logs. This could allow unauthorized users to access critical data, potentially compromising the security of the Airflow deployment. The estimated number of potentially affected devices worldwide is over 54,000, as indicated by a search on ZoomEye. Recommendations: To resolve the issue, users should upgrade to Airflow 2.10.3 or the latest version. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.

Name of the Vulnerable Software and Affected Versions: Apache Airflow version 2.10.0 Description: The issue allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. This is related to the example DAG `example inlet event extra.py` shipped with Apache Airflow. It is recommended to review DAGs based on this example and to avoid exposing example DAGs in deployments. Recommendations: For Apache Airflow version 2.10.0, upgrade to version 2.10.1 or later to resolve the issue. If you must expose the example DAGs, consider upgrading as the primary mitigation measure. As a temporary workaround, consider restricting access to the example DAGs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.10.1 **Description** The issue allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to a fixed version. **Recommendations** For Apache Airflow versions prior to 2.10.1, upgrade to version 2.10.1 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the DAG folder to prevent unauthorized execution of local settings.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.10.0 **Description** The issue allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This requires the provider to be installed on the web server and the user to click the provider link. **Recommendations** For Apache Airflow versions prior to 2.10.0, upgrade to 2.10.0 or later, which fixes this issue. As a temporary workaround, consider restricting access to provider documentation links to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.9.3 Description: The issue is related to the lack of protection for the web page structure in the Provider component of Apache Airflow, allowing an authenticated attacker to inject a malicious link when installing a provider. This can lead to a cross-site scripting (XSS) attack. Recommendations: For Apache Airflow versions prior to 2.9.3, upgrade to version 2.9.3 to fix the issue.