#VU68938 Cross-site scripting in Apache Airflow - CVE-2022-43982

Cybersecurity Help s.r.o.

Published: 2022-11-02

Vulnerability identifier: #VU68938

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-43982

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Airflow
Web applications / Modules and components for CMS

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the `origin` query argument in the Trigger DAG with config screen. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Apache Airflow: 2.0.0 - 2.4.1

External links
https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l
https://github.com/apache/airflow/pull/27143

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Airflow