Lucene search

Veracode Vulnerability DatabaseVERACODE:48114

HistoryJul 18, 2024 - 6:17 a.m.

Link Injection

2024-07-1806:17:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache airflow

link injection

vulnerability

validation

urls

provider list

file views

authenticated attacker

malicious link

installation

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

27.3%

JSON

Apache Airflow is vulnerable to Link Injection. The vulnerability is due to improper validation for urls in the provider list within the file views.py, which allows an authenticated attacker to inject a malicious link when installing a provider.

References

github.com/advisories/GHSA-j482-47xf-p25c

github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58

github.com/apache/airflow/pull/40475

lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3