CVE-2024-39863

MEDIUM5.4EPSS 0.43%

Apache Airflow: Potential XSS Vulnerability

發布日:2024/7/17修改日:2025/5/20

也稱為:GHSA-j482-47xf-p25cBIT-airflow-2024-39863PYSEC-2024-189

描述

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

受影響套件(3)

Bitnami/airflowfrom 0, < 2.9.3
PyPI/apache-airflowfrom 0, < 2.9.3
PyPI/apache-airflowfrom 0, < 2.9.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

參考連結(7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-39863
PATCHhttps://github.com/apache/airflow
WEBhttps://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58
WEBhttps://github.com/apache/airflow/pull/40475
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml
WEBhttps://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
WEBhttp://www.openwall.com/lists/oss-security/2024/07/16/6