forked from wolfi-dev/advisories
-
Notifications
You must be signed in to change notification settings - Fork 0
/
airflow.advisories.yaml
682 lines (651 loc) · 26.3 KB
/
airflow.advisories.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
schema-version: 2.0.2
package:
name: airflow
advisories:
- id: CGA-222c-fw64-wpxf
aliases:
- CVE-2024-42447
- GHSA-62qf-qm3g-fvcw
events:
- timestamp: 2024-08-06T09:33:39Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: ac580815a7b6d1cd
componentName: apache-airflow-providers-fab
componentVersion: 1.2.1
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow_providers_fab-1.2.1.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow_providers_fab-1.2.1.dist-info/RECORD
scanner: grype
- timestamp: 2024-08-14T15:23:17Z
type: pending-upstream-fix
data:
note: This vulnerability requires a new release to include an upgrade of the apache-airflow-providers-fab module to a non-vulnerable version v1.2.2. This upgrade has been included into a recent release candidate '2.10.0rc1'.
- timestamp: 2024-08-23T10:18:58Z
type: fixed
data:
fixed-version: 2.9.3-r2
- id: CGA-33w6-99cx-72gx
aliases:
- CVE-2024-25142
- GHSA-9xpj-62mm-24h2
events:
- timestamp: 2024-06-18T07:03:26Z
type: fixed
data:
fixed-version: 2.9.2-r0
- id: CGA-372m-j842-xpmm
aliases:
- CVE-2024-56201
- GHSA-gmj6-6f8f-6699
events:
- timestamp: 2024-12-24T07:08:15Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 569cc0f68ce28b67
componentName: jinja2
componentVersion: 3.1.4
componentType: python
componentLocation: /opt/airflow/lib/python3.12/site-packages/jinja2-3.1.4.dist-info/METADATA, /opt/airflow/lib/python3.12/site-packages/jinja2-3.1.4.dist-info/RECORD
scanner: grype
- id: CGA-3fx6-xvfc-v75r
aliases:
- CVE-2024-45314
- GHSA-fw5r-6m3x-rh7p
events:
- timestamp: 2024-09-06T07:01:58Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: c2711d7e873e1f7b
componentName: flask-appbuilder
componentVersion: 4.5.0
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/Flask_AppBuilder-4.5.0.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/Flask_AppBuilder-4.5.0.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/Flask_AppBuilder-4.5.0.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-09-16T19:35:14Z
type: pending-upstream-fix
data:
note: 'Due to the tightly coupled nature of airflow and Flask-AppBuilder stated here: https://github.com/apache/airflow/blob/30925c739b60d8a54d84c7c58a3ab854c167f2c1/airflow/providers/fab/provider.yaml#L50, any changes to the security/manager.py file need to be implemented in an override file found here: https://github.com/apache/airflow/blob/main/airflow/providers/fab/auth_manager/security_manager/override.py a PR has been opened to suggest the changes however that is waiting upstream approval. '
- timestamp: 2024-11-08T10:34:45Z
type: fixed
data:
fixed-version: 2.10.3-r0
- id: CGA-3mg6-hjmp-vwjr
aliases:
- GHSA-w235-7p84-xx57
events:
- timestamp: 2024-06-07T08:05:13Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 700ca6ad4ba5b3d9
componentName: tornado
componentVersion: "6.4"
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-12T15:28:56Z
type: fixed
data:
fixed-version: 2.9.2-r0
- id: CGA-45cj-mqr9-6j37
aliases:
- CVE-2024-39863
- GHSA-j482-47xf-p25c
events:
- timestamp: 2024-07-18T07:02:44Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 1860f024d4a010d6
componentName: apache-airflow
componentVersion: 2.9.2
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.2.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.2.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.2.dist-info/direct_url.json
scanner: grype
- timestamp: 2024-07-18T17:40:55Z
type: fixed
data:
fixed-version: 2.9.3-r0
- id: CGA-45f3-3fmq-7h5w
aliases:
- CVE-2023-50782
- GHSA-3ww4-gg4f-jr7f
events:
- timestamp: 2024-05-17T07:30:06Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 4181a0e83441846c
componentName: cryptography
componentVersion: 41.0.7
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-04T11:42:06Z
type: pending-upstream-fix
data:
note: Upgrading cryptography dependency in hatch_build.py to 42.0.4 causes a build failure
- timestamp: 2024-06-04T13:45:18Z
type: fixed
data:
fixed-version: 2.9.1-r1
- timestamp: 2024-06-05T07:02:39Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 4181a0e83441846c
componentName: cryptography
componentVersion: 41.0.7
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-12T11:42:06Z
type: pending-upstream-fix
data:
note: Upgrading cryptography dependency in hatch_build.py to 42.0.4 causes a build failure
- id: CGA-4gf6-v2x3-r55p
aliases:
- CVE-2024-35255
- GHSA-m5vv-6r4h-3vj9
events:
- timestamp: 2024-06-12T07:19:12Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: c33c750dfcd79e15
componentName: azure-identity
componentVersion: 1.16.0
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/azure_identity-1.16.0.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/azure_identity-1.16.0.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/azure_identity-1.16.0.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-12T15:28:55Z
type: fixed
data:
fixed-version: 2.9.2-r0
- id: CGA-5wqx-gwjc-m857
aliases:
- CVE-2024-52303
- GHSA-27mf-ghqm-j3j8
events:
- timestamp: 2024-11-19T07:01:33Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 452171577f41d528
componentName: aiohttp
componentVersion: 3.10.10
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.10.10.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.10.10.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.10.10.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-12-16T11:23:07Z
type: fixed
data:
fixed-version: 2.10.3-r2
- id: CGA-6h8r-33x9-cmw8
aliases:
- CVE-2024-41937
- GHSA-w7cp-g8v7-r54m
events:
- timestamp: 2024-08-23T08:26:25Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 7f8d81a72402cdab
componentName: apache-airflow
componentVersion: 2.9.3
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.3.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.3.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.3.dist-info/direct_url.json
scanner: grype
- timestamp: 2024-09-05T01:35:46Z
type: fixed
data:
fixed-version: 2.10.0-r0
- id: CGA-6v56-8m7g-x649
aliases:
- CVE-2024-39689
- GHSA-248v-346w-9cwc
events:
- timestamp: 2024-07-06T07:01:46Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: ed6fbc90383e3906
componentName: certifi
componentVersion: 2024.6.2
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/certifi-2024.6.2.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/certifi-2024.6.2.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/certifi-2024.6.2.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-07-08T16:36:33Z
type: fixed
data:
fixed-version: 2.9.2-r2
- id: CGA-7j7g-hp89-c8x3
aliases:
- CVE-2024-49766
- GHSA-f9vj-2wh5-fj8j
events:
- timestamp: 2024-10-26T08:01:22Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 001c572a9b5ab7fb
componentName: werkzeug
componentVersion: 2.2.3
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-11-13T04:46:12Z
type: pending-upstream-fix
data:
note: 'Fixed versions of Werkzeug (v2.3.8 and above) are not compatible with the current version of apache airflow. There is an open PR in airflow addressing this that will natively support Werkzeug v2.3.8 (https://github.com/apache/airflow/pull/36052) '
- id: CGA-8f64-fgpv-jxj2
aliases:
- CVE-2024-37891
- GHSA-34jh-p97f-mpxf
events:
- timestamp: 2024-06-18T07:01:45Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 91504e6f5de46ab8
componentName: urllib3
componentVersion: 2.2.1
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/urllib3-2.2.1.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/urllib3-2.2.1.dist-info/RECORD
scanner: grype
- timestamp: 2024-06-20T10:34:07Z
type: fixed
data:
fixed-version: 2.9.2-r1
- id: CGA-8mx8-8v5r-99xg
aliases:
- CVE-2024-35195
- GHSA-9wx4-h78v-vm56
events:
- timestamp: 2024-05-22T07:21:05Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 61e842dde812846c
componentName: requests
componentVersion: 2.31.0
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/requests-2.31.0.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/requests-2.31.0.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/requests-2.31.0.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-04T13:45:19Z
type: fixed
data:
fixed-version: 2.9.1-r1
- id: CGA-cm8c-j4m9-hwv4
aliases:
- CVE-2024-49767
- GHSA-q34m-jh98-gwm2
events:
- timestamp: 2024-10-26T08:01:29Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 001c572a9b5ab7fb
componentName: werkzeug
componentVersion: 2.2.3
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-11-13T04:47:26Z
type: pending-upstream-fix
data:
note: 'Fixed versions of Werkzeug (v2.3.8 and above) are not compatible with the current version of apache airflow. There is an open PR in airflow addressing this that will natively support Werkzeug v2.3.8 (https://github.com/apache/airflow/pull/36052) '
- id: CGA-f4qg-9fw4-8247
aliases:
- CVE-2024-26130
- GHSA-6vqw-3v5j-54x4
events:
- timestamp: 2024-05-17T07:30:06Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 4181a0e83441846c
componentName: cryptography
componentVersion: 41.0.7
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-04T11:42:37Z
type: pending-upstream-fix
data:
note: Upgrading cryptography dependency in hatch_build.py to 42.0.4 causes a build failure
- timestamp: 2024-06-04T13:45:18Z
type: fixed
data:
fixed-version: 2.9.1-r1
- timestamp: 2024-06-05T07:02:41Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 4181a0e83441846c
componentName: cryptography
componentVersion: 41.0.7
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-12T11:42:37Z
type: pending-upstream-fix
data:
note: Upgrading cryptography dependency in hatch_build.py to 42.0.4 causes a build failure
- id: CGA-f7wq-crqm-v76f
aliases:
- CVE-2024-56326
- GHSA-q2x7-8rv6-6q7h
events:
- timestamp: 2024-12-24T07:08:25Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 569cc0f68ce28b67
componentName: jinja2
componentVersion: 3.1.4
componentType: python
componentLocation: /opt/airflow/lib/python3.12/site-packages/jinja2-3.1.4.dist-info/METADATA, /opt/airflow/lib/python3.12/site-packages/jinja2-3.1.4.dist-info/RECORD
scanner: grype
- id: CGA-frqv-94jm-v4q7
aliases:
- CVE-2024-50378
- GHSA-j857-2pwm-jjmm
events:
- timestamp: 2024-11-09T07:06:18Z
type: fixed
data:
fixed-version: 2.10.3-r0
- id: CGA-h5gv-qmmr-9r2w
aliases:
- CVE-2024-39877
- GHSA-g5hv-r743-v8pm
events:
- timestamp: 2024-07-18T07:02:40Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 1860f024d4a010d6
componentName: apache-airflow
componentVersion: 2.9.2
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.2.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.2.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/apache_airflow-2.9.2.dist-info/direct_url.json
scanner: grype
- timestamp: 2024-07-18T17:40:54Z
type: fixed
data:
fixed-version: 2.9.3-r0
- id: CGA-pq4j-wp27-c7j9
aliases:
- CVE-2024-34069
- GHSA-2g68-c3qc-8985
events:
- timestamp: 2024-05-17T07:30:08Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 66bf9f85cfd5bed8
componentName: Werkzeug
componentVersion: 2.2.3
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-05-22T09:31:21Z
type: fix-not-planned
data:
note: Vulnerability affects < 3.0.3 however airflow is unable to upgrade to werkzeugto 3+ https://github.com/apache/airflow/blob/2d53c1089f78d8d1416f51af60e1e0354781
- id: CGA-qpm7-q69q-w66w
aliases:
- CVE-2024-52804
- GHSA-8w49-h785-mj3c
events:
- timestamp: 2024-11-23T08:04:57Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 6f7f43d47b009995
componentName: tornado
componentVersion: 6.4.1
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.1.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.1.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.1.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-12-16T11:23:09Z
type: fixed
data:
fixed-version: 2.10.3-r2
- id: CGA-r95c-6w6h-wgm6
aliases:
- CVE-2024-45498
- GHSA-c392-whpc-vfpr
events:
- timestamp: 2024-09-10T07:05:31Z
type: fixed
data:
fixed-version: 2.10.1-r0
- id: CGA-rr65-cfqh-j9ww
aliases:
- CVE-2024-45034
- GHSA-92xg-gmrq-5c3w
events:
- timestamp: 2024-09-10T07:05:24Z
type: fixed
data:
fixed-version: 2.10.1-r0
- id: CGA-v739-9xhw-5vmf
aliases:
- CVE-2024-0727
- GHSA-9v9h-cgj8-h64p
events:
- timestamp: 2024-05-17T07:30:07Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 4181a0e83441846c
componentName: cryptography
componentVersion: 41.0.7
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-04T11:43:08Z
type: pending-upstream-fix
data:
note: Upgrading cryptography dependency in hatch_build.py to 42.0.4 causes a build failure
- timestamp: 2024-06-04T13:45:19Z
type: fixed
data:
fixed-version: 2.9.1-r1
- timestamp: 2024-06-05T07:02:43Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 4181a0e83441846c
componentName: cryptography
componentVersion: 41.0.7
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-41.0.7.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-12T11:43:08Z
type: pending-upstream-fix
data:
note: Upgrading cryptography dependency in hatch_build.py to 42.0.4 causes a build failure
- id: CGA-v94x-q6m7-qgqv
aliases:
- CVE-2023-46136
- GHSA-hrfv-mqp8-q5rw
events:
- timestamp: 2024-05-17T07:30:09Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 66bf9f85cfd5bed8
componentName: Werkzeug
componentVersion: 2.2.3
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/Werkzeug-2.2.3.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-05-22T09:33:11Z
type: pending-upstream-fix
data:
note: Vulnerability affects < 3.0.3 however airflow is unable to upgrade to werkzeugto 3+ https://github.com/apache/airflow/blob/2d53c1089f78d8d1416f51af60e1e0354781
- timestamp: 2024-06-06T07:11:46Z
type: fixed
data:
fixed-version: 2.9.1-r1
- timestamp: 2024-09-05T01:24:48Z
type: pending-upstream-fix
data:
note: Fixed versions of Werkzeug (v2.3.8 and above) are not compatible with the current version of apache airflow. There is an open PR in airflow addressing this that will natively support Werkzeug v2.3.8 (https://github.com/apache/airflow/pull/36052)
- id: CGA-wq3q-35vc-xj9h
aliases:
- GHSA-753j-mpmx-qq6g
events:
- timestamp: 2024-06-07T08:05:11Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 700ca6ad4ba5b3d9
componentName: tornado
componentVersion: "6.4"
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/tornado-6.4.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-06-12T15:28:56Z
type: fixed
data:
fixed-version: 2.9.2-r0
- id: CGA-x22r-fp37-7vh6
aliases:
- CVE-2024-6345
- GHSA-cx63-2mw6-8hw5
events:
- timestamp: 2024-07-16T07:26:57Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 9bfb3c41b2043cb0
componentName: setuptools
componentVersion: 66.1.1
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/setuptools-66.1.1.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/setuptools-66.1.1.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/setuptools-66.1.1.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-07-22T19:02:05Z
type: fixed
data:
fixed-version: 2.9.3-r1
- id: CGA-x335-cgg4-xc7c
aliases:
- CVE-2024-42367
- GHSA-jwhx-xcg6-8xhj
events:
- timestamp: 2024-08-10T08:21:22Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: d9c293fe3edbf0e3
componentName: aiohttp
componentVersion: 3.9.5
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.9.5.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.9.5.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.9.5.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-08-23T10:18:58Z
type: fixed
data:
fixed-version: 2.9.3-r2
- id: CGA-x336-fvxc-v695
aliases:
- CVE-2024-52304
- GHSA-8495-4g3g-x7pr
events:
- timestamp: 2024-11-19T07:01:42Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 452171577f41d528
componentName: aiohttp
componentVersion: 3.10.10
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.10.10.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.10.10.dist-info/RECORD, /opt/airflow/venv/lib/python3.12/site-packages/aiohttp-3.10.10.dist-info/top_level.txt
scanner: grype
- timestamp: 2024-12-16T11:23:08Z
type: fixed
data:
fixed-version: 2.10.3-r2
- id: CGA-x72m-49rr-rrcp
aliases:
- GHSA-h4gh-qq45-vh27
events:
- timestamp: 2024-09-04T07:05:47Z
type: detection
data:
type: scan/v1
data:
subpackageName: airflow
componentID: 36c1f16b60357a1a
componentName: cryptography
componentVersion: 43.0.0
componentType: python
componentLocation: /opt/airflow/venv/lib/python3.12/site-packages/cryptography-43.0.0.dist-info/METADATA, /opt/airflow/venv/lib/python3.12/site-packages/cryptography-43.0.0.dist-info/RECORD
scanner: grype
- timestamp: 2024-09-05T01:34:55Z
type: fixed
data:
fixed-version: 2.10.0-r0