Astronomer Certified Security
This page is the source of truth for any CVE (Common Vulnerabilities and Exposures) identified within any of our Astronomer Certified Images running Apache Airflow.
Currently, our officially supported Astronomer Certified images are listed in two places:
If you run on Astronomer Cloud or Enterprise, you can refer to our Airflow Versioning Doc for detailed guidelines on how to upgrade between Airflow versions on the platform.
Reporting Vulnerabilities and Security Concerns
Vulnerability reports for Astronomer Certified should be sent to email@example.com. All security concerns, questions and requests should be directed here.
When we receive a request, our dedicated security team will evaluate and validate it. If we confirm a vulnerability, we’ll allocate internal resources towards identifying and publishing a resolution in an updated image. The timeline within which vulnerabilities are addressed will depend on the severity level of the vulnerability and its impact.
Once a resolution has been confirmed, we'll release it in the next major or minor Astronomer Certified image and publish details to this page in the section below.
Note: All other Airflow and product support requests should be directed to Astronomer's Support Portal, where our team's Airflow Engineers are ready to help.
Previously Announced Vulnerabilities
Apache Airflow Core
|CVE-2021-38540||2021-09-09||Variable Import endpoint missed authentication check. (Details)||Use one of the following AC Versions:|
|CVE-2021-35936||2021-08-13||No Authentication on Logging Server. (Details)||Use one of the following AC Versions:|
|CVE-2021-28359||2021-02-17||The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. Update to Airflow 1.10.15 or 2.0.2. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not account for certain cases. (Details)||Use one of the following AC Versions:|
|CVE-2021-26697||2021-02-17||Lineage API endpoint for Experimental API missed authentication check. (Details)||Use one of the following AC Versions:|
|CVE-2021-26559||2021-02-17||Users with Viewer or User role can get Airflow Configurations using Stable API including sensitive information even when ||Use one of the following AC Versions:|
|CVE-2020-17526||2020-12-21||Incorrect Session Validation in Airflow Webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. (Details)||Use one of the following AC Versions:|
|CVE-2020-17513||2020-12-11||The Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. (Details)||Use one of the following AC Versions:|
|CVE-2020-17511||2020-12-11||Apache Airflow Admin password gets logged in plain text. (Details)||Use one of the following AC Versions:|
|CVE-2020-17515||2020-12-11||The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. (Details)||Use one of the following AC Versions:|
|CVE-2020-13944||2020-09-16||Apache Airflow versions < 1.10.12||In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. (Details)||Use one of the following AC Versions:|
Astronomer Certified Docker Images
This section lists security related updates/mitigations in the Astronomer Certified docker images.
|CVE-2020-1967||2019-12-03||OpenSSL||Server or client applications that call the SSLcheckchain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signaturealgorithmscert" TLS extension.|
The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). (Details)
|Use Docker image with one of the following AC Versions:|
|CVE-2019-16168||2019-09-09||SQLite||Alpine Images with following AC Versions:||In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." (Details)||Use Docker image with one of the following AC Versions:|