cvelistv5 - cve-2021-45229

Source	URL	Tags
security@apache.org	https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk	Mailing List, Vendor Advisory

Vendor	Product
Apache Software Foundation	Apache Airflow

pysec-2022-29

Vulnerability from pysec

Published

2022-02-25 09:15

Modified

2022-03-04 21:27

Details

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the origin query argument. This issue affects Apache Airflow versions 2.2.3 and below.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow",
        "purl": "pkg:pypi/apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.4rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.10.0",
        "1.10.1",
        "1.10.10",
        "1.10.10rc1",
        "1.10.10rc2",
        "1.10.10rc3",
        "1.10.10rc4",
        "1.10.10rc5",
        "1.10.11",
        "1.10.11rc1",
        "1.10.11rc2",
        "1.10.12",
        "1.10.12rc1",
        "1.10.12rc2",
        "1.10.12rc3",
        "1.10.12rc4",
        "1.10.13",
        "1.10.13rc1",
        "1.10.14",
        "1.10.14rc1",
        "1.10.14rc2",
        "1.10.14rc3",
        "1.10.14rc4",
        "1.10.15",
        "1.10.15rc1",
        "1.10.1b1",
        "1.10.1rc2",
        "1.10.2",
        "1.10.2b2",
        "1.10.2rc1",
        "1.10.2rc2",
        "1.10.2rc3",
        "1.10.3",
        "1.10.3b1",
        "1.10.3b2",
        "1.10.3rc1",
        "1.10.3rc2",
        "1.10.4",
        "1.10.4b2",
        "1.10.4rc1",
        "1.10.4rc2",
        "1.10.4rc3",
        "1.10.4rc4",
        "1.10.4rc5",
        "1.10.5",
        "1.10.5rc1",
        "1.10.6",
        "1.10.6rc1",
        "1.10.6rc2",
        "1.10.7",
        "1.10.7rc1",
        "1.10.7rc2",
        "1.10.7rc3",
        "1.10.8",
        "1.10.8rc1",
        "1.10.9",
        "1.10.9rc1",
        "1.8.1",
        "1.8.2",
        "1.8.2rc1",
        "1.9.0",
        "2.0.0",
        "2.0.0b1",
        "2.0.0b2",
        "2.0.0b3",
        "2.0.0rc1",
        "2.0.0rc2",
        "2.0.0rc3",
        "2.0.1",
        "2.0.1rc1",
        "2.0.1rc2",
        "2.0.2",
        "2.0.2rc1",
        "2.1.0",
        "2.1.0rc1",
        "2.1.0rc2",
        "2.1.1",
        "2.1.1rc1",
        "2.1.2",
        "2.1.2rc1",
        "2.1.3",
        "2.1.3rc1",
        "2.1.4",
        "2.1.4rc1",
        "2.1.4rc2",
        "2.2.0",
        "2.2.0b1",
        "2.2.0b2",
        "2.2.0rc1",
        "2.2.1",
        "2.2.1rc1",
        "2.2.1rc2",
        "2.2.2",
        "2.2.2rc1",
        "2.2.2rc2",
        "2.2.3",
        "2.2.3rc1",
        "2.2.3rc2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-45229",
    "GHSA-65xw-pcqw-hjrh"
  ],
  "details": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
  "id": "PYSEC-2022-29",
  "modified": "2022-03-04T21:27:14.014874Z",
  "published": "2022-02-25T09:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh"
    }
  ]
}

ghsa-65xw-pcqw-hjrh

Vulnerability from github

Published

2022-02-26 00:00

Modified

2024-09-12 19:17

Severity

6.1 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 (Medium) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Apache Airflow Cross-site Scripting Vulnerability

Details

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the origin query argument. This issue affects Apache Airflow versions 2.2.3 and below.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.4rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-45229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-01T19:31:29Z",
    "nvd_published_at": "2022-02-25T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
  "id": "GHSA-65xw-pcqw-hjrh",
  "modified": "2024-09-12T19:17:59Z",
  "published": "2022-02-26T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Airflow Cross-site Scripting Vulnerability"
}

gsd-2021-45229

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.

Aliases

CVE-2021-45229

Aliases

CVE-2021-45229

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-45229",
    "description": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
    "id": "GSD-2021-45229"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-45229"
      ],
      "details": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
      "id": "GSD-2021-45229",
      "modified": "2023-12-13T01:23:19.562480Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-45229",
        "STATE": "PUBLIC",
        "TITLE": "Apache Airflow: Reflected XSS via Origin Query Argument in URL"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Airflow",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.2.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "The Apache Airflow PMC would like to thank both Bogdan Kurinnoy of the Samsung R\u0026D Institute Ukraine (SRK) and Ali Al-Habsi of Accellion for independently discovering and reporting this issue."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {
          "other": "high"
        }
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=2.2.3",
          "affected_versions": "All versions up to 2.2.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-03-04",
          "description": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
          "fixed_versions": [
            "2.2.4"
          ],
          "identifier": "CVE-2021-45229",
          "identifiers": [
            "CVE-2021-45229",
            "GHSA-65xw-pcqw-hjrh"
          ],
          "not_impacted": "All versions after 2.2.3",
          "package_slug": "pypi/apache-airflow",
          "pubdate": "2022-02-25",
          "solution": "Upgrade to version 2.2.4 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-45229",
            "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk",
            "https://github.com/advisories/GHSA-65xw-pcqw-hjrh"
          ],
          "uuid": "7ad037f7-0d90-4620-bbbd-4cec81ae5849"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.2.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-45229"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-03-04T20:43Z",
      "publishedDate": "2022-02-25T09:15Z"
    }
  }
}

Action not permitted

cve-2021-45229

Vulnerability from cvelistv5

pysec-2022-29

Vulnerability from pysec

ghsa-65xw-pcqw-hjrh

Vulnerability from github

gsd-2021-45229

Vulnerability from gsd

Tags