High
CVE-2022-38170 CVSS:5.5
Apache Airflow could allow a local authenticated attacker to obtain sensitive information, caused by a race condition when running with the “–deamon” flag with insecure umask configured. By sending a specially-crafted request, an attacker could exploit this vulnerability to arbitrary file contents, and use this information to launch further attacks against the affected system.
CVE-2022-38054 CVSS:9.1
Apache Airflow could allow a remote attacker to hijack a user’s session, caused by a session fixation flaw in the “database” webserver session backende. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to another user’s session.
Apache
Upgrade to the latest version of Apache Airflow, available from the Apache Web site.