ReferenceAstronomer Certified (Deprecated)

Astronomer Certified security

No versions of Astronomer Certified (AC) are currently supported by Astronomer. Astronomer stopped releasing new versions of AC with the release of Apache Airflow 2.4. Astronomer recommends creating all new Deployments with Astro Runtime, as well as migrating existing Deployments from AC to Astro Runtime as soon as your organization is ready. See Migrate to Runtime and Runtime image architecture.

This page is the source of truth for any Common Vulnerabilities and Exposures (CVEs) identified within any of our supported Astronomer Certified images for Apache Airflow.

You can find information about supported Astronomer Certified images in the following locations:

Refer to Upgrade Apache Airflow on Astronomer for detailed guidelines on how to upgrade between Airflow versions on your Software instance.

Reporting Vulnerabilities and Security Concerns

Vulnerability reports for Astronomer Certified should be sent to security@astronomer.io. All security concerns, questions and requests should be directed here.

When we receive a request, our dedicated security team will evaluate and validate it. If we confirm a vulnerability, we’ll allocate internal resources towards identifying and publishing a resolution in an updated image. The timeline within which vulnerabilities are addressed will depend on the severity level of the vulnerability and its impact.

Once a resolution has been confirmed, we’ll release it in the next major, minor, or patch Astronomer Certified image and publish details to this page in the section below.

All other Airflow and product support requests should be directed to Astronomer’s Support Portal, where our team’s Airflow Engineers are ready to help.

Previously Announced Vulnerabilities

Apache Airflow Core

CVEDateVersions AffectedDescriptionRemediation
CVE-2022-242882022-02-24
  • 2.2.3-1 to 2.2.3-2
  • 2.2.2-1 to 2.2.2-2
  • 2.2.1-1 to 2.2.1-3
  • 2.2.0-1 to 2.2.0-5
  • 2.1.4-1 to 2.1.4-4
  • 2.1.3-1 to 2.1.3-4
  • 2.1.1-1 to 2.1.1-6
  • 2.1.0-1 to 2.1.0-7
  • 2.0.2-1 to 2.0.2-6
  • 2.0.0-1 to 2.0.0-10
  • 1.10.15-1 to 1.10.15-4
  • 1.10.14-1 to 1.10.14-5
  • 1.10.12-1 to 1.10.12-6
RCE in example DAGs. (Details)Use one of the following AC Versions:
  • 2.2.4-1
  • 2.1.4-5
  • 1.10.15-5
CVE-2021-452292022-02-24
  • 2.2.3-1 to 2.2.3-2
  • 2.2.2-1 to 2.2.2-2
  • 2.2.1-1 to 2.2.1-3
  • 2.2.0-1 to 2.2.0-5
  • 2.1.4-1 to 2.1.4-4
  • 2.1.3-1 to 2.1.3-4
  • 2.1.1-1 to 2.1.1-6
  • 2.1.0-1 to 2.1.0-7
  • 2.0.2-1 to 2.0.2-6
  • 2.0.0-1 to 2.0.0-10
  • 1.10.15-1 to 1.10.15-4
  • 1.10.14-1 to 1.10.14-5
  • 1.10.12-1 to 1.10.12-6
Reflected XSS via Origin Query Argument in URL. (Details)Use one of the following AC Versions:
  • 2.2.4-1
  • 2.1.4-5
  • 1.10.15-5
CVE-2021-452302022-01-19
  • 2.1.4-1 to 2.1.4-3
  • 2.1.3-1 to 2.1.3-3
  • 2.1.1-1 to 2.1.1-5
  • 2.1.0-1 to 2.1.0-6
Creating DagRuns didn’t respect Dag-level permissions in the webserver. (Details)Use one of the following AC Versions:
  • 2.1.4-4
  • 2.1.3-4
  • 2.1.1-6
  • 2.1.0-7
CVE-2021-385402021-09-09
  • 2.1.1-1 to 2.1.1-2
  • 2.1.0-1 to 2.1.0-3
  • 2.0.2-1 to 2.0.2-4
  • 2.0.0-1 to 2.0.0-8
Variable Import endpoint missed authentication check. (Details)Use one of the following AC Versions:
  • 2.1.1-3
  • 2.1.0-4
  • 2.0.2-5
  • 2.0.0-9
CVE-2021-359362021-08-13
  • 2.1.1-1
  • 2.1.0-1 to 2.1.0-2
  • 2.0.2-1 to 2.0.2-3
  • 2.0.0-1 to 2.0.0-7
  • 1.10.15-1 to 1.10.15-2
  • 1.10.14-1 to 1.10.14-3
  • 1.10.12-1 to 1.10.12-4
  • 1.10.10-1 to 1.10.10-8
  • 1.10.7-1 to 1.10.7-18
  • 1.10.5-1 to 1.10.5-11
No Authentication on Logging Server. (Details)Use one of the following AC Versions:
  • 2.1.1-2
  • 2.1.0-3
  • 2.0.2-4
  • 2.0.0-8
  • 1.10.15-3
  • 1.10.14-4
  • 1.10.12-4
  • 1.10.10-9
  • 1.10.7-19
CVE-2021-283592021-02-17
  • 2.0.0-1 to 2.0.0-3
  • 1.10.14-1 to 1.10.14-2
  • 1.10.12-1 to 1.10.12-3
  • 1.10.10-1 to 1.10.10-7
  • 1.10.7-1 to 1.10.7-17
  • 1.10.5-1 to 1.10.5-11
The “origin” parameter passed to some of the endpoints like ‘/trigger’ was vulnerable to XSS exploit. This issue affects Apache Airflow versions earlier than 1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. Update to Airflow 1.10.15 or 2.0.2. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not account for certain cases. (Details)Use one of the following AC Versions:
  • 2.0.0-4
  • 1.10.14-3
  • 1.10.12-4
  • 1.10.10-8
  • 1.10.7-18
CVE-2021-266972021-02-17
  • 2.0.0-1 to 2.0.0-2
Lineage API endpoint for Experimental API missed authentication check. (Details)Use one of the following AC Versions:
  • 2.0.0-3
CVE-2021-265592021-02-17
  • 2.0.0-1 to 2.0.0-2
Users with Viewer or User role can get Airflow Configurations using Stable API including sensitive information even when [webserver] expose_config is set to False in airflow.cfg. (Details)Use one of the following AC Versions:
  • 2.0.0-3
CVE-2020-175262020-12-21
  • 1.10.12-1
  • 1.10.10-1 to 1.10.10-5
  • 1.10.7-1 to 1.10.7-15
  • 1.10.5-1 to 1.10.5-11
Incorrect Session Validation in Airflow webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow webserver on Site B through the session from Site A. (Details)Use one of the following AC Versions:
  • 1.10.14-1
  • 1.10.12-2
  • 1.10.10-6
  • 1.10.7-16
CVE-2020-175132020-12-11
  • 1.10.12-1
  • 1.10.10-1 to 1.10.10-5
  • 1.10.7-1 to 1.10.7-15
  • 1.10.5-1 to 1.10.5-11
The Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. (Details)Use one of the following AC Versions:
  • 1.10.14-1
  • 1.10.12-2
  • 1.10.10-6
  • 1.10.7-16
CVE-2020-175112020-12-11
  • 1.10.12-1
  • 1.10.10-1 to 1.10.10-5
  • 1.10.7-1 to 1.10.7-15
  • 1.10.5-1 to 1.10.5-11
Apache Airflow Admin password gets logged in plain text. (Details)Use one of the following AC Versions:
  • 1.10.14-1
  • 1.10.12-2
  • 1.10.10-6
  • 1.10.7-16
CVE-2020-175152020-12-11
  • 1.10.12-1
  • 1.10.10-1 to 1.10.10-5
  • 1.10.7-1 to 1.10.7-15
  • 1.10.5-1 to 1.10.5-11
The “origin” parameter passed to some of the endpoints like ‘/trigger’ was vulnerable to XSS exploit. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. (Details)Use one of the following AC Versions:
  • 1.10.14-1
  • 1.10.12-2
  • 1.10.10-6
  • 1.10.7-16
CVE-2020-139442020-09-16Apache Airflow versions < 1.10.12In Apache Airflow < 1.10.12, the “origin” parameter passed to some of the endpoints like ‘/trigger’ was vulnerable to XSS exploit. (Details)Use one of the following AC Versions:
  • 1.10.10-5
  • 1.10.7-15

Astronomer Certified Docker images

This section lists security related updates/mitigations in the Astronomer Certified docker images.

CVEDateComponentVersions AffectedDescriptionRemediation
CVE-2021-412652022-01-19Flask-AppBuilder
  • 2.2.1-1 to 2.2.1-2
  • 2.2.0-1 to 2.2.0-4
  • 2.1.4-1 to 2.1.4-3
  • 2.1.3-1 to 2.1.3-3
  • 2.1.1-1 to 2.1.1-5
  • 2.1.0-1 to 2.1.0-6
Improper Authentication in Flask-AppBuilder. (Details)Use one of the following AC Versions:
  • 2.2.1-3
  • 2.2.0-5
  • 2.1.4-4
  • 2.1.3-4
  • 2.1.1-6
  • 2.1.0-7
CVE-2021-237272022-01-19Celery
  • 2.2.3-1
  • 2.2.2-1
  • 2.2.1-1 to 2.2.1-2
  • 2.2.0-1 to 2.2.0-4
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. (Details)Use Docker image with one of the following AC Versions:
  • 2.2.3-2
  • 2.2.2-2
  • 2.2.1-3
  • 2.2.0-5
CVE-2021-334302022-01-19NumPy
  • 2.2.3-1
  • 2.2.2-1
  • 2.2.1-1 to 2.2.1-2
  • 2.2.0-1 to 2.2.0-4
  • 2.1.4-1 to 2.1.4-3
  • 2.1.3-1 to 2.1.3-3
  • 2.1.1-1 to 2.1.1-5
  • 2.1.0-1 to 2.1.0-6
A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. (Details)Use Docker image with one of the following AC Versions:
  • 2.2.3-2
  • 2.2.2-2
  • 2.2.1-3
  • 2.2.0-5
  • 2.1.4-4
  • 2.1.3-4
  • 2.1.1-6
  • 2.1.0-7
CVE-2020-19672019-12-03OpenSSL
  • 1.10.7-1 to 1.10.7-8
  • 1.10.5-1 to 1.10.5-6
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension.
The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). (Details)		Use Docker image with one of the following AC Versions:
  • 1.10.7-10
  • 1.10.5-7
CVE-2019-161682019-09-09SQLiteAlpine images with following AC Versions:
  • 1.10.7-1 to 1.10.7-8
  • 1.10.5-1 to 1.10.5-6
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a “severe division by zero in the query planner.” (Details)Use Docker image with one of the following AC Versions:
  • 1.10.7-10
  • 1.10.5-7