CVE-2017-12614 — Cross-site Scripting in Software Foundation Apache Airflow

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

2.3%

top 15.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedAug 6

Latest updateMay 14

Description

It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/airflow< 1.9.0

▶CVEListV5apache_software_foundation/apache_airflow< 1.9.0

🔴Vulnerability Details

GHSA

Apache Airflow Reflected Cross-site Scripting vulnerability in 404 Endpoint↗2022-05-14

▶

OSV

Apache Airflow Reflected Cross-site Scripting vulnerability in 404 Endpoint↗2022-05-14

▶

OSV

CVE-2017-12614: It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack↗2018-08-06

▶

CVEList

CVE-2017-12614: It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack↗2018-08-06

▶