GHSA-86vp-x3pr-79rx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-86vp-x3pr-79rx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-86vp-x3pr-79rx/GHSA-86vp-x3pr-79rx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-86vp-x3pr-79rx
- Aliases
- Published
- 2021-04-20T16:40:14Z
- Modified
- 2024-09-11T17:21:47.185593Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Apache Airflow cross-site scripting due to incomplete fix for CVE-2020-13944
- Details
-
The
originparameter passed to some of the endpoints like/triggerwas vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.15. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. - Database specific
{ "nvd_published_at": "2020-12-11T14:15:00Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2021-04-08T23:23:06Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-17515
- https://github.com/apache/airflow/pull/14738
- https://github.com/apache/airflow/commit/13336272e32872247fa7d17e964ccd88ec8d1376
- https://github.com/apache/airflow/commit/409c249121bd9c8902fc2ba551b21873ab41f953
- https://github.com/apache/airflow/commit/7486153f451e4d2bb1c6fd9cbb5a63430157c99c
- https://github.com/apache/airflow/commit/ab8c55878e3e4257d2276226cb17b047ba856686
- https://github.com/apache/airflow/commit/c6369beed53d41c0a70415b0d958bf0604124ad7
- https://pypi.org/project/apache-airflow
- https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-21.yaml
- https://github.com/apache/airflow/releases/tag/2.0.2
- https://github.com/apache/airflow/releases/tag/1.10.15
- https://github.com/apache/airflow
- https://github.com/advisories/GHSA-86vp-x3pr-79rx
- http://www.openwall.com/lists/oss-security/2020/12/11/2
- http://www.openwall.com/lists/oss-security/2021/05/01/2
Affected packages
PyPI / apache-airflow
Package
- Name
- apache-airflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10.15rc1
Affected versions
1.*
1.8.1
1.8.2rc1
1.8.2
1.9.0
1.10.0
1.10.1b1
1.10.1rc2
1.10.1
1.10.2b2
1.10.2rc1
1.10.2rc2
1.10.2rc3
1.10.2
1.10.3b1
1.10.3b2
1.10.3rc1
1.10.3rc2
1.10.3
1.10.4b2
1.10.4rc1
1.10.4rc2
1.10.4rc3
1.10.4rc4
1.10.4rc5
1.10.4
1.10.5rc1
1.10.5
1.10.6rc1
1.10.6rc2
1.10.6
1.10.7rc1
1.10.7rc2
1.10.7rc3
1.10.7
1.10.8rc1
1.10.8
1.10.9rc1
1.10.9
1.10.10rc1
1.10.10rc2
1.10.10rc3
1.10.10rc4
1.10.10rc5
1.10.10
1.10.11rc1
1.10.11rc2
1.10.11
1.10.12rc1
1.10.12rc2
1.10.12rc3
1.10.12rc4
1.10.12
1.10.13rc1
1.10.13
1.10.14rc1
1.10.14rc2
1.10.14rc3
1.10.14rc4
1.10.14
PyPI / apache-airflow
Package
- Name
- apache-airflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow