CVE-2020-17515 — Cross-site Scripting in Software Foundation Apache Airflow

CWE-79 — Cross-site Scripting6 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

10.2%

top 6.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedDec 11

Latest updateJun 18

Description

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/airflow2.0.0 — 2.0.2+1

▶CVEListV5apache_software_foundation/apache_airflowApache Airflow — 1.10.13

🔴Vulnerability Details

GHSA

Cross-site Scripting in Apache Airflow↗2021-06-18

▶

GHSA

Apache Airflow cross-site scripting due to incomplete fix for CVE-2020-13944↗2021-04-20

▶

OSV

Apache Airflow cross-site scripting due to incomplete fix for CVE-2020-13944↗2021-04-20

▶

OSV

CVE-2020-17515: The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit↗2020-12-11

▶

CVEList

CVE-2020-17515: The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit↗2020-12-11

▶