CVE-2021-28359

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-28359

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28359.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-28359

Aliases

Published

2021-05-02T08:15:06.703Z

Modified

2026-02-13T02:18:55.808197Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type: GIT
Repo: https://github.com/apache/airflow
Events: Introduced

8217db8cb4b1ff302c5cf8662477ac00f701e78c

Fixed

d9567eb106929b21329c01171fd398fbef2dc6c6

Introduced

deb7fc0ffe3ddb9bf9aad6f5f9479d20598e2fb5

Fixed

5a94e34938858ce2bb390ddf0fd16ddfd1312a9b

Affected versions

helm-chart/1.*

helm-chart/1.1.0

helm-chart/1.1.0rc1

providers-airbyte/2.*

providers-airbyte/2.0.0

providers-airbyte/2.1.0

providers-airbyte/2.1.0rc2

providers-airbyte/2.1.1

providers-airbyte/2.1.1rc1

providers-alibaba/1.*

providers-alibaba/1.0.0

providers-alibaba/1.0.0rc1

providers-amazon/2.*

providers-amazon/2.0.0

providers-amazon/2.1.0

providers-amazon/2.1.0rc1

providers-amazon/2.1.0rc2

providers-amazon/2.2.0

providers-amazon/2.2.0rc1

providers-amazon/2.3.0

providers-amazon/2.3.0rc1

providers-amazon/2.3.0rc2

providers-apache-beam/3.*

providers-apache-beam/3.0.0

providers-apache-beam/3.0.1

providers-apache-beam/3.0.1rc1

providers-apache-cassandra/2.*

providers-apache-cassandra/2.0.0

providers-apache-cassandra/2.0.1

providers-apache-cassandra/2.0.1rc1

providers-apache-cassandra/2.1.0

providers-apache-cassandra/2.1.0rc1

providers-apache-drill/1.*

providers-apache-drill/1.0.0

providers-apache-drill/1.0.0rc1

providers-apache-drill/1.0.0rc2

providers-apache-drill/1.0.1

providers-apache-drill/1.0.1rc1

providers-apache-druid/2.*

providers-apache-druid/2.0.0

providers-apache-druid/2.0.1

providers-apache-druid/2.0.1rc2

providers-apache-druid/2.0.2

providers-apache-druid/2.0.2rc1

providers-apache-hdfs/2.*

providers-apache-hdfs/2.0.0

providers-apache-hdfs/2.1.0

providers-apache-hdfs/2.1.0rc1

providers-apache-hdfs/2.1.1

providers-apache-hdfs/2.1.1rc1

providers-apache-hive/2.*

providers-apache-hive/2.0.0

providers-apache-hive/2.0.1

providers-apache-hive/2.0.1rc1

providers-apache-hive/2.0.1rc2

providers-apache-hive/2.0.2

providers-apache-hive/2.0.2rc1

providers-apache-kylin/2.*

providers-apache-kylin/2.0.0

providers-apache-kylin/2.0.1

providers-apache-kylin/2.0.1rc1

providers-apache-livy/2.*

providers-apache-livy/2.0.0

providers-apache-livy/2.1.0

providers-apache-livy/2.1.0rc1

providers-apache-pig/2.*

providers-apache-pig/2.0.0

providers-apache-pig/2.0.1

providers-apache-pig/2.0.1rc1

providers-apache-pinot/2.*

providers-apache-pinot/2.0.0

providers-apache-pinot/2.0.1

providers-apache-pinot/2.0.1rc1

providers-apache-spark/2.*

providers-apache-spark/2.0.0

providers-apache-spark/2.0.1

providers-apache-spark/2.0.1rc1

providers-apache-sqoop/2.*

providers-apache-sqoop/2.0.0

providers-apache-sqoop/2.0.1

providers-apache-sqoop/2.0.1rc1

providers-apache-sqoop/2.0.1rc2

providers-apache-sqoop/2.0.2

providers-apache-sqoop/2.0.2rc1

providers-asana/1.*

providers-asana/1.0.0

providers-asana/1.1.0

providers-asana/1.1.0rc1

providers-celery/2.*

providers-celery/2.0.0

providers-celery/2.1.0

providers-celery/2.1.0rc1

providers-celery/2.1.0rc2

providers-cloudant/2.*

providers-cloudant/2.0.0

providers-cloudant/2.0.1

providers-cloudant/2.0.1rc1

providers-cncf-kubernetes/2.*

providers-cncf-kubernetes/2.0.0

providers-cncf-kubernetes/2.0.1

providers-cncf-kubernetes/2.0.1rc1

providers-cncf-kubernetes/2.0.1rc2

providers-cncf-kubernetes/2.0.2

providers-cncf-kubernetes/2.0.2rc1

providers-cncf-kubernetes/2.0.3

providers-cncf-kubernetes/2.0.3rc1

providers-databricks/2.*

providers-databricks/2.0.0

providers-databricks/2.0.1

providers-databricks/2.0.1rc1

providers-databricks/2.0.2

providers-databricks/2.0.2rc1

providers-datadog/2.*

providers-datadog/2.0.0

providers-datadog/2.0.1

providers-datadog/2.0.1rc1

providers-dingding/2.*

providers-dingding/2.0.0

providers-dingding/2.0.1

providers-dingding/2.0.1rc1

providers-discord/2.*

providers-discord/2.0.0

providers-discord/2.0.1

providers-discord/2.0.1rc1

providers-docker/2.*

providers-docker/2.0.0

providers-docker/2.1.0

providers-docker/2.1.0rc1

providers-docker/2.1.0rc2

providers-docker/2.1.1

providers-docker/2.1.1rc1

providers-docker/2.2.0

providers-docker/2.2.0rc1

providers-elasticsearch/2.*

providers-elasticsearch/2.0.1

providers-elasticsearch/2.0.2rc1

providers-elasticsearch/2.0.2rc2

providers-elasticsearch/2.0.3

providers-elasticsearch/2.0.3rc1

providers-exasol/2.*

providers-exasol/2.0.0

providers-exasol/2.0.1

providers-exasol/2.0.1rc1

providers-facebook/2.*

providers-facebook/2.0.0

providers-facebook/2.0.1

providers-facebook/2.0.1rc1

providers-ftp/2.*

providers-ftp/2.0.0

providers-ftp/2.0.1

providers-ftp/2.0.1rc1

providers-google/4.*

providers-google/4.0.0

providers-google/4.1.0rc1

providers-google/5.*

providers-google/5.0.0

providers-google/5.0.0rc2

providers-google/5.1.0

providers-google/5.1.0rc1

providers-google/6.*

providers-google/6.0.0

providers-google/6.0.0rc1

providers-grpc/2.*

providers-grpc/2.0.0

providers-grpc/2.0.1

providers-grpc/2.0.1rc1

providers-hashicorp/2.*

providers-hashicorp/2.0.0

providers-hashicorp/2.1.0

providers-hashicorp/2.1.0rc1

providers-hashicorp/2.1.0rc2

providers-hashicorp/2.1.1

providers-hashicorp/2.1.1rc1

providers-http/2.*

providers-http/2.0.0

providers-http/2.0.1

providers-http/2.0.1rc1

providers-imap/2.*

providers-imap/2.0.0

providers-imap/2.0.1

providers-imap/2.0.1rc1

providers-influxdb/1.*

providers-influxdb/1.0.0

providers-influxdb/1.0.0rc1

providers-jdbc/2.*

providers-jdbc/2.0.0

providers-jdbc/2.0.1

providers-jdbc/2.0.1rc1

providers-jenkins/2.*

providers-jenkins/2.0.0

providers-jenkins/2.0.1

providers-jenkins/2.0.1rc1

providers-jenkins/2.0.1rc2

providers-jenkins/2.0.2

providers-jenkins/2.0.2rc1

providers-jira/2.*

providers-jira/2.0.0

providers-jira/2.0.1

providers-jira/2.0.1rc1

providers-microsoft-azure/3.*

providers-microsoft-azure/3.0.0

providers-microsoft-azure/3.1.0

providers-microsoft-azure/3.1.0rc1

providers-microsoft-azure/3.1.0rc2

providers-microsoft-azure/3.1.1

providers-microsoft-azure/3.1.1rc1

providers-microsoft-azure/3.2.0

providers-microsoft-azure/3.2.0rc1

providers-microsoft-mssql/2.*

providers-microsoft-mssql/2.0.0

providers-microsoft-mssql/2.0.1

providers-microsoft-mssql/2.0.1rc1

providers-microsoft-psrp/1.*

providers-microsoft-psrp/1.0.0

providers-microsoft-psrp/1.0.0rc1

providers-microsoft-psrp/1.0.1

providers-microsoft-psrp/1.0.1rc1

providers-microsoft-psrp/1.0.1rc2

providers-microsoft-winrm/2.*

providers-microsoft-winrm/2.0.0

providers-microsoft-winrm/2.0.1

providers-microsoft-winrm/2.0.1rc1

providers-mongo/2.*

providers-mongo/2.0.0

providers-mongo/2.1.0

providers-mongo/2.1.0rc1

providers-mysql/2.*

providers-mysql/2.0.0

providers-mysql/2.1.0

providers-mysql/2.1.0rc1

providers-mysql/2.1.0rc2

providers-mysql/2.1.1

providers-mysql/2.1.1rc1

providers-neo4j/2.*

providers-neo4j/2.0.0

providers-neo4j/2.0.1

providers-neo4j/2.0.1rc1

providers-neo4j/2.0.2

providers-neo4j/2.0.2rc1

providers-odbc/2.*

providers-odbc/2.0.0

providers-odbc/2.0.1

providers-odbc/2.0.1rc1

providers-openfaas/2.*

providers-openfaas/2.0.0

providers-opsgenie/2.*

providers-opsgenie/2.0.0

providers-opsgenie/2.0.1

providers-opsgenie/2.0.1rc1

providers-oracle/2.*

providers-oracle/2.0.0

providers-oracle/2.0.1

providers-oracle/2.0.1rc1

providers-pagerduty/2.*

providers-pagerduty/2.0.0

providers-pagerduty/2.0.1

providers-pagerduty/2.0.1rc1

providers-papermill/2.*

providers-papermill/2.0.0

providers-papermill/2.0.1

providers-papermill/2.0.1rc1

providers-papermill/2.1.0

providers-papermill/2.1.0rc1

providers-plexus/2.*

providers-plexus/2.0.0

providers-plexus/2.0.1

providers-plexus/2.0.1rc1

providers-postgres/2.*

providers-postgres/2.0.0

providers-postgres/2.1.0

providers-postgres/2.1.0rc1

providers-postgres/2.1.0rc2

providers-postgres/2.2.0

providers-postgres/2.2.0rc1

providers-postgres/2.3.0

providers-postgres/2.3.0rc1

providers-presto/2.*

providers-presto/2.0.0

providers-presto/2.0.1

providers-presto/2.0.1rc1

providers-qubole/2.*

providers-qubole/2.0.0

providers-qubole/2.0.1

providers-qubole/2.0.1rc1

providers-redis/2.*

providers-redis/2.0.0

providers-redis/2.0.1

providers-redis/2.0.1rc1

providers-salesforce/3.*

providers-salesforce/3.0.0

providers-salesforce/3.1.0

providers-salesforce/3.1.0rc2

providers-salesforce/3.2.0

providers-salesforce/3.2.0rc1

providers-samba/2.*

providers-samba/2.0.0

providers-samba/3.*

providers-samba/3.0.0

providers-samba/3.0.0rc1

providers-segment/2.*

providers-segment/2.0.0

providers-segment/2.0.1

providers-segment/2.0.1rc1

providers-sendgrid/2.*

providers-sendgrid/2.0.0

providers-sendgrid/2.0.1

providers-sendgrid/2.0.1rc1

providers-sftp/2.*

providers-sftp/2.0.0

providers-sftp/2.1.0

providers-sftp/2.1.0rc1

providers-sftp/2.1.0rc2

providers-sftp/2.1.1

providers-sftp/2.1.1rc1

providers-singularity/2.*

providers-singularity/2.0.0

providers-singularity/2.0.1

providers-singularity/2.0.1rc1

providers-slack/4.*

providers-slack/4.0.0

providers-slack/4.0.1

providers-slack/4.0.1rc1

providers-slack/4.1.0

providers-slack/4.1.0rc1

providers-snowflake/2.*

providers-snowflake/2.0.0

providers-snowflake/2.1.0

providers-snowflake/2.1.0rc1

providers-snowflake/2.1.0rc2

providers-snowflake/2.1.1

providers-snowflake/2.1.1rc1

providers-snowflake/2.2.0

providers-snowflake/2.2.0rc1

providers-sqlite/2.*

providers-sqlite/2.0.0

providers-sqlite/2.0.1

providers-sqlite/2.0.1rc1

providers-ssh/2.*

providers-ssh/2.0.0

providers-ssh/2.1.0

providers-ssh/2.1.0rc1

providers-ssh/2.1.0rc2

providers-ssh/2.1.1

providers-ssh/2.1.1rc1

providers-ssh/2.2.0

providers-ssh/2.2.0rc1

providers-tableau/2.*

providers-tableau/2.0.0

providers-tableau/2.1.0

providers-tableau/2.1.0rc1

providers-tableau/2.1.0rc2

providers-tableau/2.1.1

providers-tableau/2.1.1rc1

providers-telegram/2.*

providers-telegram/2.0.0

providers-telegram/2.0.1

providers-telegram/2.0.1rc1

providers-trino/2.*

providers-trino/2.0.0

providers-trino/2.0.1

providers-trino/2.0.1rc1

providers-vertica/2.*

providers-vertica/2.0.0

providers-vertica/2.0.1

providers-vertica/2.0.1rc1

providers-yandex/2.*

providers-yandex/2.0.0

providers-yandex/2.1.0

providers-yandex/2.1.0rc1

providers-zendesk/2.*

providers-zendesk/2.0.0

providers-zendesk/2.0.1

providers-zendesk/2.0.1rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28359.json"