CVE-2024-39863

MEDIUM

Apache Airflow < 2.9.3 - XSS

Title source: rule

Description

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

References (3)

[Issue Tracking, Patch] https://github.com/apache/airflow/pull/40475

[Mailing List] https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3

[Mailing List] http://www.openwall.com/lists/oss-security/2024/07/16/6

Scores

CVSS v3 5.4

EPSS 0.0032

EPSS Percentile 55.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

apache/airflow < 2.9.3

pypi/apache-airflow < 2.9.3PyPI

Timeline

Published Jul 17, 2024

Tracked Since Feb 18, 2026