CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link
First published: Wed Aug 21 2024(Updated: )
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/apache-airflow | <2.10.0 | 2.10.0 |
| Apache Airflow | <2.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/apache/airflow/pull/40933
- https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
- https://nvd.nist.gov/vuln/detail/CVE-2024-41937
- https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98
- https://github.com/advisories/GHSA-w7cp-g8v7-r54m (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml
- http://www.openwall.com/lists/oss-security/2024/08/21/3
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-41937
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/references
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- agent/event
- collector/github-advisory
- source/GitHub
- alias/GHSA-w7cp-g8v7-r54m
- agent/trending
- agent/source
- agent/tags
- collector/github-advisory-latest
- vendor/apache
- canonical/apache airflow
- package-manager/pip