Skip to content

Apache Airflow Reflected Cross-site Scripting vulnerability in 404 Endpoint

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Feb 23, 2024

Package

pip apache-airflow (pip)

Affected versions

< 1.9.0

Patched versions

1.9.0

Description

It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. However Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.

References

Published by the National Vulnerability Database Aug 6, 2018
Published to the GitHub Advisory Database May 14, 2022
Reviewed Feb 23, 2024
Last updated Feb 23, 2024

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2017-12614

GHSA ID

GHSA-rv25-9wgj-xg75

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.