Lucene search

[email protected]NVD:CVE-2024-41937

HistoryAug 21, 2024 - 4:15 p.m.

CVE-2024-41937

2024-08-2116:15:08

CWE-79

[email protected]

web.nvd.nist.gov

apache airflow

cross-site scripting

upgrade

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

38.6%

JSON

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

Affected configurations

Nvd

Node

apacheairflowRange<2.10.0

VendorProductVersionCPE
apacheairflow*cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	airflow	*	cpe:2.3:a:apache:airflow::::::::

References

github.com/apache/airflow/pull/40933

lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

38.6%

JSON

Related for NVD:CVE-2024-41937

github1 hackerone1 cvelist1 osv3 vulnrichment1 cve1 veracode1 wolfi1