CVE-2021-28359 in Apache and Python Products
Published on May 2, 2021
Apache Airflow Reflected XSS via Origin Query Argument in URL
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
Products Associated with CVE-2021-28359
stack.watch emails you whenever new vulnerabilities are published in Apache AirFlow or Python. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Airflow:- Version Apache Airflow 2.0.0 is affected.
- Version Apache Airflow 2.0.1 is affected.
- Version Apache Airflow and below 1.10.15 is affected.
Exploit Probability
EPSS
4.16%
Percentile
88.57%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.