CVE-2024-41937

MEDIUM

Apache Airflow < 2.10.0 - XSS

Title source: rule

Description

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

References (3)

[Patch] https://github.com/apache/airflow/pull/40933

[Third Party Advisory] https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d

[Mailing List] http://www.openwall.com/lists/oss-security/2024/08/21/3

Scores

CVSS v3 6.1

EPSS 0.0085

EPSS Percentile 74.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

apache/airflow < 2.10.0

pypi/apache-airflow < 2.10.0PyPI

Timeline

Published Aug 21, 2024

Tracked Since Feb 18, 2026