You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@airflow.apache.org by Kaxil Naik <ka...@gmail.com> on 2020/09/16 11:27:58 UTC

[CVE-2020-13944] Apache Airflow Reflected XSS via Origin Parameter <= 1.10.12

Versions Affected: <= 1.10.12
Description:
The "origin" parameter passed to some of the endpoints like '/trigger' was
vulnerable to XSS exploit.

Credit:
The issue was independently discovered and reported by Ali Al-Habsi of
Accellion & Everardo Padilla Saca.

Thanks,
Kaxil,
on behalf of Apache Airflow PMC

Re: [CVE-2020-13944] Apache Airflow Reflected XSS via Origin Parameter <= 1.10.12

Posted by Jarek Potiuk <Ja...@polidea.com>.

I hoped so :)

On Wed, Sep 16, 2020 at 4:09 PM Kaxil Naik <ka...@gmail.com> wrote:
>
> Correction the issue only affects < 1.10.12 (not <= 1.10.12)
>
> On Wed, Sep 16, 2020, 12:27 Kaxil Naik <ka...@gmail.com> wrote:
>
> > Versions Affected: <= 1.10.12
> > Description:
> > The "origin" parameter passed to some of the endpoints like '/trigger' was
> > vulnerable to XSS exploit.
> >
> > Credit:
> > The issue was independently discovered and reported by Ali Al-Habsi of
> > Accellion & Everardo Padilla Saca.
> >
> > Thanks,
> > Kaxil,
> > on behalf of Apache Airflow PMC
> >



-- 

Jarek Potiuk
Polidea | Principal Software Engineer

M: +48 660 796 129

Re: [CVE-2020-13944] Apache Airflow Reflected XSS via Origin Parameter <= 1.10.12

Posted by Kaxil Naik <ka...@gmail.com>.

Correction the issue only affects < 1.10.12 (not <= 1.10.12)

On Wed, Sep 16, 2020, 12:27 Kaxil Naik <ka...@gmail.com> wrote:

> Versions Affected: <= 1.10.12
> Description:
> The "origin" parameter passed to some of the endpoints like '/trigger' was
> vulnerable to XSS exploit.
>
> Credit:
> The issue was independently discovered and reported by Ali Al-Habsi of
> Accellion & Everardo Padilla Saca.
>
> Thanks,
> Kaxil,
> on behalf of Apache Airflow PMC
>