CVE-2024-41937

CWE-79Cross-site Scripting (XSS)6 documents5 sources
Severity
6.1MEDIUM
EPSS
0.9%
top 25.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedAug 21
Latest updateSep 7

Description

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

NVDapache/airflow< 2.10.0
PyPIapache-airflow< 2.10.0

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Apache Airflow Cross-site Scripting Vulnerability2024-08-21
GHSA
Apache Airflow Cross-site Scripting Vulnerability2024-08-21
CVEList
Apache Airflow: Stored XSS Vulnerability on provider link2024-08-21
OSV
CVE-2024-41937: Apache Airflow, versions before 22024-08-21

💬Community

1
HackerOne
CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link2024-09-07
CVE-2024-41937 (MEDIUM CVSS 6.1) | Apache Airflow | cvebase.io