Closed adithyaonline closed 3 months ago
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.
Not possible until we could migrate to the Connexion 3, see: https://github.com/apache/airflow/issues/35234 There are couple of attempt to resolve it and no one is successful.
root@fc8180a24c0c:/opt/airflow# pipdeptree --package Werkzeug -r
Werkzeug==2.2.3
├── apache-airflow==2.10.0.dev0 [requires: Werkzeug>=2.0,<3]
├── connexion==2.14.2 [requires: Werkzeug>=1.0,<2.3]
│ └── apache-airflow==2.10.0.dev0 [requires: connexion>=2.10.0,<3.0]
├── Flask==2.2.5 [requires: Werkzeug>=2.2.2]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│ ├── connexion==2.14.2 [requires: Flask>=1.0.4,<2.3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: connexion>=2.10.0,<3.0]
│ ├── Flask-AppBuilder==4.4.1 [requires: Flask>=2,<3.0.0]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Babel==2.0.0 [requires: Flask]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Babel>=1,<3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Bcrypt==1.0.1 [requires: Flask]
│ ├── Flask-Caching==2.3.0 [requires: Flask]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-Caching>=1.5.0]
│ ├── Flask-JWT-Extended==4.6.0 [requires: Flask>=2.0,<4.0]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-JWT-Extended>=4.0.0,<5.0.0]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Limiter==3.7.0 [requires: Flask>=2]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Limiter>3,<4]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Login==0.6.3 [requires: Flask>=1.0.4]
│ │ ├── apache-airflow==2.10.0.dev0 [requires: Flask-Login>=0.6.2]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Login>=0.3,<0.7]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Session==0.5.0 [requires: Flask>=2.2]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-Session>=0.4.0,<0.6]
│ ├── Flask-SQLAlchemy==2.5.1 [requires: Flask>=0.10]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-SQLAlchemy>=2.4,<3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ └── Flask-WTF==1.2.1 [requires: Flask]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask-WTF>=0.15]
│ └── Flask-AppBuilder==4.4.1 [requires: Flask-WTF>=0.14.2,<2]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-AppBuilder==4.4.1 [requires: Werkzeug<4]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-JWT-Extended==4.6.0 [requires: Werkzeug>=0.14]
│ └── Flask-AppBuilder==4.4.1 [requires: Flask-JWT-Extended>=4.0.0,<5.0.0]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-Login==0.6.3 [requires: Werkzeug>=1.0.1]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask-Login>=0.6.2]
│ └── Flask-AppBuilder==4.4.1 [requires: Flask-Login>=0.3,<0.7]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
└── moto==5.0.7 [requires: Werkzeug>=0.5,!=2.2.1,!=2.2.0]
According to https://nvd.nist.gov/vuln/detail/CVE-2024-34069 the vulnerability is the werkzeug debugger -- has anyone looked for or found a way to safely hard disable the debugger in a deployment (i.e. make it so the debugger will not run, even on localhost)?
I can't find evidence that the werkzeug debugger console is accessible inside of an unaltered airflow deployment -- the werkzeug docs say the debugger has to be intentionally enabled by wrapping the application in the DebuggedApplication middleware -- as far as I can search, airflow does not do this.
I believe the temporary way forward for those who need to deploy airflow and are being denied because of security policies is to get a security exception from whoever governs security on the infrastructure you need to deploy to.
Apache Airflow version
2.9.1
If "Other Airflow 2 version" selected, which one?
No response
What happened?
Werkzeug 2.2.8 has a vulnerability with CVSS score of 7.5
What you think should happen instead?
we need to ugprade Werkzeug to 3.0.3
How to reproduce
Scan latest airflow with any source code analysis tool
Operating System
debian
Versions of Apache Airflow Providers
No response
Deployment
Other Docker-based deployment
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
Code of Conduct