======================================================================

                                CERT-Renater

                    Note d'Information No. 2024/VULN339
_____________________________________________________________________

DATE                : 26/08/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                        to 2.10.0.

=====================================================================
https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
_____________________________________________________________________


CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider
link
Severity: low

Affected versions:

- Apache Airflow before 2.10.0

Description:

Apache Airflow, versions before 2.10.0, have a vulnerability that
allows the developer of a malicious provider to execute a cross-site
scripting attack when clicking on a provider documentation link. This
would require the provider to be installed on the web server and the
user to click the provider link.

Users should upgrade to 2.10.0 or later, which fixes this
vulnerability.


Credit:

sw0rd1ight (https://github.com/sw0rd1ight) (finder)
Amogh Desai (remediation developer)


References:

https://github.com/apache/airflow/pull/40933
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-41937


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================