You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@airflow.apache.org by Kaxil Naik <ka...@apache.org> on 2020/12/11 13:11:31 UTC
Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515
Hi Airflow community,
Please find below the information about vulnerability which has been
addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I
would recommend users to upgrade to Airflow 1.10.14 (released yesterday):
*CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter*
The "origin" parameter passed to some of the endpoints like '/trigger' was
vulnerable to XSS exploit.
This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.12
did not fix the issue completely.
Reported by Ali Al-Habsi of Accellion
Thanks.
Kaxil @ Airflow PMC