CVE-2024-39863

MEDIUM

Apache Airflow < 2.9.3 - Authenticated Stored Cross-Site Scripting via Provider Installation Link

Title source: llm

Description

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

References (3)

Core 3

Core References

Issue Tracking, Patch patch

https://github.com/apache/airflow/pull/40475

Mailing List vendor-advisory

https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/16/6

Scores

CVSS v3 5.4

EPSS 0.0043

EPSS Percentile 62.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

apache/airflow < 2.9.3

pypi/apache-airflow 0 - 2.9.3PyPI

Published Jul 17, 2024

Tracked Since Feb 18, 2026