CVE-2024-41937 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=0 <2.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.02367 pctl0.8436

Details

Apache Airflow Cross-site Scripting Vulnerability Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

Metadata

Created: 2024-08-21T18:31:27Z
Modified: 2025-03-21T04:28:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-w7cp-g8v7-r54m/GHSA-w7cp-g8v7-r54m.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-w7cp-g8v7-r54m
Finding: F425
Auto approve: 1