Apache Airflow Cross-site scripting due to incomplete fix for CVE-2020-13944
Moderate severity
GitHub Reviewed
Published
Apr 20, 2021
to the GitHub Advisory Database
•
Updated Mar 25, 2024
Package
Affected versions
< 1.10.15
>= 2.0.0, < 2.0.2
Patched versions
1.10.15
2.0.2
Description
Published by the National Vulnerability Database
Dec 11, 2020
Reviewed
Apr 8, 2021
Published to the GitHub Advisory Database
Apr 20, 2021
Last updated
Mar 25, 2024
The
origin
parameter passed to some of the endpoints like/trigger
was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.14. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.References