{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:05295331-06f8-5cc9-af33-6c8b2c10412b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare", "type": "library", "name": "apache-airflow-providers-http", "version": "4.13.3.post1+tuxcare", "purl": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:33c042bd-7d84-5048-966c-6a224fd2bfdd", "id": "CVE-2023-22884", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-22884 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:d598eca6-36cc-5cd4-9edc-fc2c6dc84530", "id": "CVE-2023-39441", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-39441 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:ba9a366d-18bc-5e76-8015-89cf702e3289", "id": "CVE-2025-53643", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-53643 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:0ae4600a-9bc8-52d3-97d9-8e7409741d25", "id": "CVE-2025-69219", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-69219 is fixed in version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:aba6073f-8b34-53a0-92e0-31bc8c3c2329", "id": "CVE-2025-69223", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69223 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:95c29d6f-148a-52a6-aefb-3042a8e62d9a", "id": "CVE-2025-69224", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69224 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:e33981c2-25cf-5673-97e2-dd242415110c", "id": "CVE-2025-69225", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69225 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:d27b1b68-ce3c-5b08-980b-2085f1d37300", "id": "CVE-2025-69226", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69226 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:e247fdb7-38ca-5dd0-8675-9fe81d25e701", "id": "CVE-2025-69227", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69227 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:d51a1ee5-3fd9-54c4-9a9b-f57a53c93d72", "id": "CVE-2025-69228", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69228 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:2c5c2ec7-fec2-5786-b4c6-70809494f4e9", "id": "CVE-2025-69229", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69229 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:cd7b3c48-b65c-5427-8394-3bede341ac5f", "id": "CVE-2025-69230", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69230 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:fc8ffa4a-52d0-5803-aac5-25ac30f0fbae", "id": "CVE-2026-22815", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22815 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:cd4ada5d-49c1-5f0d-b344-69532f21359a", "id": "CVE-2026-34513", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34513 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:ff72b5a7-6185-5f8c-9f75-db09b2ebc261", "id": "CVE-2026-34514", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34514 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:90e6e5b6-8c60-530c-8701-467a8482d17c", "id": "CVE-2026-34515", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34515 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:53aed9b7-9f2d-5f6f-a58b-2a4ed49b1a94", "id": "CVE-2026-34516", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34516 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:ae01c22c-d248-5d05-9f73-70f281597766", "id": "CVE-2026-34517", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34517 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:69559e40-05ff-5b55-b5e1-936ea06b9896", "id": "CVE-2026-34518", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34518 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:19298115-09fe-5db2-9daf-e695c268b5ad", "id": "CVE-2026-34519", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34519 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:51b48e69-be31-5ac1-9bd9-d4f0238740a7", "id": "CVE-2026-34520", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34520 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:0f0270e9-ed27-5327-a020-0f59b0176da9", "id": "CVE-2026-34525", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34525 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:b7070997-ab71-55cb-b299-60c199f34ea3", "id": "CVE-2026-34993", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-34993 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 The target repository (apache-airflow-providers-http) uses aiohttp as a declared dependency but does not invoke the vulnerable CookieJar.load() function. The code only uses aiohttp.ClientSession for HTTP client operations with in-memory cookie handling and never deserializes cookies from files." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:1ea36c74-8c2d-5a92-82d4-21c8fe353246", "id": "CVE-2026-47265", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47265 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:7b5b6b53-0d98-5583-a784-1db970893305", "id": "CVE-2026-50269", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50269 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 Apache Airflow HTTP provider is not affected by CVE-2026-50269. The vulnerability requires direct manipulation of aiohttp's Payload.headers or MultipartWriter.append(headers=...) APIs, which Airflow does not use. Airflow only uses aiohttp.ClientSession standard request methods (post/get/put) which set HTTP request headers, not multipart payload headers." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:fac4969b-395f-5135-a4fd-5f56512192b3", "id": "CVE-2026-54273", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54273 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 CVE-2026-54273 affects aiohttp's server-side HTTP/1.1 pipelined request handling. The target repository (Apache Airflow 4.13.3 with TuxCare patches) uses aiohttp exclusively as a CLIENT via aiohttp.ClientSession(), not as a server. The vulnerable code path requires running an aiohttp server (web.Application, RequestHandler) to accept and parse pipelined requests from clients. Since Airflow does..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:6d346881-022b-58bf-a6ab-8bc3d0b17b4a", "id": "CVE-2026-54274", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54274 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 Apache Airflow is not affected by CVE-2026-54274. While aiohttp v3.10.5 is a dependency, Airflow only uses aiohttp's HTTP client functionality (ClientSession with GET/POST/etc.) and does not use any WebSocket features. The vulnerable code path (WebSocketReader parser) is never invoked in Airflow's codebase." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:1e14c83f-e7ca-5932-a025-edaf9439d4c3", "id": "CVE-2026-54275", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54275 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 CVE-2026-54275 (aiohttp TLS SNI bypass via connection reuse) does not affect Apache Airflow providers. The vulnerability requires persistent connection pooling across multiple requests with different server_hostname values. Airflow's HttpAsyncHook uses ephemeral aiohttp sessions (created and destroyed per request), which prevents connections from being reused across requests. This architectural..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:7b67e9e0-a167-526f-a8eb-f687e2612b1b", "id": "CVE-2026-54276", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54276 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 The apache-airflow-providers-http package does not use aiohttp's DigestAuthMiddleware and provides no mechanism to configure it. While aiohttp is a dependency, the HTTP provider only uses BasicAuth (request-level authentication), never middleware-based authentication. The vulnerability cannot manifest because the vulnerable component (DigestAuthMiddleware) is never instantiated in the provider'..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:da1c1796-e828-5ff8-8fbe-098e61e956af", "id": "CVE-2026-54277", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54277 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 The target repository (Apache Airflow Providers HTTP) does not contain the vulnerable aiohttp C parser code. The vulnerability CVE-2026-54277 exists in aiohttp's _http_parser.pyx file (functions cb_on_url and cb_on_status), which is not present in this repository. This repository uses aiohttp as an external Python dependency rather than vendoring or bundling its source code. The vulnerable code..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:ce58a161-9343-5a2a-8128-afacf9c5cd06", "id": "CVE-2026-54278", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54278 affects version 4.13.3.post1+tuxcare of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:5d34ed70-37d0-5432-bba5-79e785f51513", "id": "CVE-2026-54279", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54279 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 Apache Airflow HTTP Provider is not affected by CVE-2026-54279. The vulnerability concerns aiohttp's CookieJar save/load functionality losing host-only cookie status, but Airflow does not use CookieJar persistence operations. Airflow only creates ephemeral aiohttp.ClientSession instances and never calls .save() or .load() on any CookieJar." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }, { "bom-ref": "urn:uuid:c22e3e2c-6e5e-502e-b474-9bbd5357107d", "id": "CVE-2026-54280", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54280 does not affect version 4.13.3.post1+tuxcare of apache-airflow-providers-http. not_affected \u2014 The vulnerability CVE-2026-54280 affects aiohttp's server-side code (web_response.py:write_eof) used when serving HTTP responses. The Apache Airflow HTTP Provider (version 4.13.3) uses aiohttp exclusively as a CLIENT (via ClientSession) to make outbound HTTP requests, not as a SERVER. Exhaustive search confirmed zero server-side aiohttp usage (no web.Response, web.Application, or write_eof usag..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] } ], "dependencies": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3.post1+tuxcare" } ] }