Jens Scheffler

**Name of the Vulnerable Software and Affected Versions** Airflow versions prior to 3.1.4 Airflow versions prior to 2.11.1 **Description** A flaw exists in Airflow where the user interface (UI) error reporting could expose sensitive information passed as keyword arguments (`kwargs`) to operators when a Directed Acyclic Graph (DAG) failed during parsing. This exposure was limited to authenticated users with permission to view the affected DAG. The issue could lead to the disclosure of secrets or other sensitive values included within the `kwargs`. **Recommendations** Upgrade to Airflow version 3.1.4 or later. Upgrade to Airflow version 2.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.9.2 **Description** The issue is related to the use of web browser cache containing sensitive information in Apache Airflow. Airflow did not return a "Cache-Control" header for dynamic content, which could result in potentially storing sensitive data in the local cache of the browser. This could allow an attacker to disclose protected information through the Cache-Control header. **Recommendations** For Apache Airflow versions prior to 2.9.2, upgrade to version 2.9.2, which fixes the issue. As a temporary workaround, consider configuring the browser to disable caching of sensitive data or restricting access to sensitive information until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow version 2.9.0 **Description** The issue allows an authenticated attacker to inject malicious data into the task instance logs. This is a critical security vulnerability that enables attackers to inject data into the task instance logs. **Recommendations** For Apache Airflow version 2.9.0, upgrade to version 2.9.1 to fix the issue. As a temporary workaround, consider restricting access to the task instance logs until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 2.6.0 through 2.7.3 **Description** The issue is related to a stored XSS vulnerability that allows a DAG author to add unbounded and not-sanitized JavaScript in the parameter description field of the DAG. This JavaScript can be executed on the client side of any user who looks at the tasks in the browser sandbox, allowing modification of what the user sees in the browser. This opens up possibilities of misleading other users. **Recommendations** For Apache Airflow versions 2.6.0 through 2.7.3, upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. As a temporary workaround, consider restricting access to the parameter description field of the DAG to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 2.7.0 through 2.7.3 **Description** The issue is related to insufficient authentication of executed requests in Apache Airflow, allowing an attacker to trigger a DAG in a GET request without CSRF validation. This could enable a malicious website opened in the same browser as the Airflow UI to trigger the execution of DAGs without the user's consent. **Recommendations** For Apache Airflow versions 2.7.0 through 2.7.3, upgrade to version 2.8.0 or later, which is not affected by this issue. As a temporary workaround, consider restricting access to the Airflow UI to minimize the risk of exploitation.