// For flags

CVE-2024-32077

Apache Airflow: XSS vulnerability in Task Instance Log/Log Details

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. 
Users are recommended to upgrade to version 2.9.1, which fixes this issue.

Apache Airflow versión 2.9.0 tiene una vulnerabilidad que permite a un atacante autenticado inyectar datos maliciosos en los registros de instancias de tareas. Se recomienda a los usuarios actualizar a la versión 2.9.1, que soluciona este problema.

*Credits: Ming, Jens Scheffler
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-04-10 CVE Reserved
  • 2024-05-14 CVE Published
  • 2024-06-11 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Airflow
Search vendor "Apache Software Foundation" for product "Apache Airflow"
 >= 2.9.0 < 2.9.1
Search vendor "Apache Software Foundation" for product "Apache Airflow" and version " >= 2.9.0 < 2.9.1"
en
Affected