Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
References
Link | Resource |
---|---|
https://github.com/apache/airflow/pull/40933 | Patch |
https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d | Third Party Advisory |
http://www.openwall.com/lists/oss-security/2024/08/21/3 |
Configurations
History
21 Nov 2024, 09:33
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Aug 2024, 16:21
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
CPE | cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* | |
References | () https://github.com/apache/airflow/pull/40933 - Patch | |
References | () https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d - Third Party Advisory | |
First Time |
Apache airflow
Apache |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
21 Aug 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-21 16:15
Updated : 2024-11-21 09:33
NVD link : CVE-2024-41937
Mitre link : CVE-2024-41937
CVE.ORG link : CVE-2024-41937
JSON object : View
Products Affected
apache
- airflow
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')