Apache Airflow Vulnerability: Cross-Site Scripting Attack

CVE-2024-41937

6.1MEDIUM

Key Information

Vendor
Apache
Status
Apache Airflow
Vendor
CVE Published:
21 August 2024

Summary

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

Affected Version(s)

Apache Airflow < 2.10.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

sw0rd1ight (https://github.com/sw0rd1ight)
Amogh Desai
.