Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
History

Fri, 23 Aug 2024 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache airflow
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Thu, 22 Aug 2024 14:30:00 +0000

Type Values Removed Values Added
References

Wed, 21 Aug 2024 15:45:00 +0000

Type Values Removed Values Added
Description Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
Title Apache Airflow: Stored XSS Vulnerability on provider link
Weaknesses CWE-79
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-08-21T15:31:13.962Z

Updated: 2024-08-22T13:36:14.984Z

Reserved: 2024-07-24T08:17:37.300Z

Link: CVE-2024-41937

cve-icon Vulnrichment

Updated: 2024-08-21T17:02:32.321Z

cve-icon NVD

Status : Modified

Published: 2024-08-21T16:15:08.107

Modified: 2024-11-21T09:33:18.477

Link: CVE-2024-41937

cve-icon Redhat

No data.