You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@airflow.apache.org by Jedidiah Cunningham <je...@apache.org> on 2022/02/24 18:00:13 UTC

CVE-2021-45229: Apache Airflow: Reflected XSS via Origin Query Argument in URL

Severity: high

Description:

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.

This issue affects Apache Airflow versions 2.2.3 and below. 

Credit:

The Apache Airflow PMC would like to thank both Bogdan Kurinnoy of the Samsung R&D Institute Ukraine (SRK) and Ali Al-Habsi of Accellion for independently discovering and reporting this issue.