PYSEC-2021-4
Vulnerability from pysec - Published: 2021-05-02 08:15 - Updated: 2021-05-10 20:07
VLAI?
Details
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
Impacted products
| Name | purl | apache-airflow | pkg:pypi/apache-airflow |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow",
"purl": "pkg:pypi/apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.1"
},
{
"fixed": "1.10.15"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1",
"1.8.2rc1",
"1.8.2",
"1.9.0",
"1.10.0",
"1.10.1b1",
"1.10.1rc2",
"1.10.1",
"1.10.2b2",
"1.10.2rc1",
"1.10.2rc2",
"1.10.2rc3",
"1.10.2",
"1.10.3b1",
"1.10.3b2",
"1.10.3rc1",
"1.10.3rc2",
"1.10.3",
"1.10.4b2",
"1.10.4rc1",
"1.10.4rc2",
"1.10.4rc3",
"1.10.4rc4",
"1.10.4rc5",
"1.10.4",
"1.10.5rc1",
"1.10.5",
"1.10.6rc1",
"1.10.6rc2",
"1.10.6",
"1.10.7rc1",
"1.10.7rc2",
"1.10.7rc3",
"1.10.7",
"1.10.8rc1",
"1.10.8",
"1.10.9rc1",
"1.10.9",
"1.10.10rc1",
"1.10.10rc2",
"1.10.10rc3",
"1.10.10rc4",
"1.10.10rc5",
"1.10.10",
"1.10.11rc1",
"1.10.11rc2",
"1.10.11",
"1.10.12rc1",
"1.10.12rc2",
"1.10.12rc3",
"1.10.12rc4",
"1.10.12",
"1.10.13rc1",
"1.10.13",
"1.10.14rc1",
"1.10.14rc2",
"1.10.14rc3",
"1.10.14rc4",
"1.10.14",
"1.10.15rc1",
"2.0.0",
"2.0.1rc1",
"2.0.1rc2",
"2.0.1",
"2.0.2rc1"
]
}
],
"aliases": [
"CVE-2021-28359",
"GHSA-3xxv-p78r-4fc6"
],
"details": "The \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit. This issue affects Apache Airflow versions \u003c1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 \u0026 CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).",
"id": "PYSEC-2021-4",
"modified": "2021-05-10T20:07:00Z",
"published": "2021-05-02T08:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3xxv-p78r-4fc6"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…