Vulnerability-Lookup

CVE-2020-13944 (GCVE-0-2020-13944)

Vulnerability from cvelistv5 – Published: 2020-09-17 14:01 – Updated: 2024-08-04 12:32

Summary

In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.

Severity ?

No CVSS data available.

CWE

Information Disclosure

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread.html/r97e1b60ca50…	x_refsource_MISC
	https://lists.apache.org/thread.html/r4656959c8ed…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r2892ef594db…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r2892ef594db…	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2020/12/11/2	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r2892ef594db…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/ra8ce70088ba…	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/05/01/2	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rc005f4de9d9…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	Apache Airflow	Affected: Apache Airflow < 1.10.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:32:14.289Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-users] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-dev] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-users] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E"
          },
          {
            "name": "[oss-security] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
          },
          {
            "name": "[announce] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
          },
          {
            "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
          },
          {
            "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Airflow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Airflow \u003c 1.10.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-03T23:06:24.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
        },
        {
          "name": "[airflow-users] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E"
        },
        {
          "name": "[airflow-dev] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E"
        },
        {
          "name": "[airflow-users] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E"
        },
        {
          "name": "[oss-security] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
        },
        {
          "name": "[announce] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E"
        },
        {
          "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
        },
        {
          "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
        },
        {
          "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-13944",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Airflow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Airflow \u003c 1.10.12"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-users] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-dev] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-users] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
            },
            {
              "name": "[announce] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
            },
            {
              "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
            },
            {
              "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-13944",
    "datePublished": "2020-09-17T14:01:40.000Z",
    "dateReserved": "2020-06-08T00:00:00.000Z",
    "dateUpdated": "2024-08-04T12:32:14.289Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

bit-airflow-2020-13944

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:00

Modified

2025-04-03 14:40

Summary

Details

In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "airflow",
        "purl": "pkg:bitnami/airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.15"
            },
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13944"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit.",
  "id": "BIT-airflow-2020-13944",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:00:45.413Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13944"
    }
  ],
  "schema_version": "1.5.0"
}

PYSEC-2020-19

Vulnerability from pysec - Published: 2020-09-17 14:15 - Updated: 2021-05-04 00:15

Details

In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.

Impacted products

Name	purl
apache-airflow	pkg:pypi/apache-airflow

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow",
        "purl": "pkg:pypi/apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.8.1",
        "1.8.2rc1",
        "1.8.2",
        "1.9.0",
        "1.10.0",
        "1.10.1b1",
        "1.10.1rc2",
        "1.10.1",
        "1.10.2b2",
        "1.10.2rc1",
        "1.10.2rc2",
        "1.10.2rc3",
        "1.10.2",
        "1.10.3b1",
        "1.10.3b2",
        "1.10.3rc1",
        "1.10.3rc2",
        "1.10.3",
        "1.10.4b2",
        "1.10.4rc1",
        "1.10.4rc2",
        "1.10.4rc3",
        "1.10.4rc4",
        "1.10.4rc5",
        "1.10.4",
        "1.10.5rc1",
        "1.10.5",
        "1.10.6rc1",
        "1.10.6rc2",
        "1.10.6",
        "1.10.7rc1",
        "1.10.7rc2",
        "1.10.7rc3",
        "1.10.7",
        "1.10.8rc1",
        "1.10.8",
        "1.10.9rc1",
        "1.10.9",
        "1.10.10rc1",
        "1.10.10rc2",
        "1.10.10rc3",
        "1.10.10rc4",
        "1.10.10rc5",
        "1.10.10",
        "1.10.11rc1",
        "1.10.11rc2",
        "1.10.11",
        "1.10.12rc1",
        "1.10.12rc2",
        "1.10.12rc3",
        "1.10.12rc4"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13944",
    "GHSA-4pwq-fj89-6rjc"
  ],
  "details": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit.",
  "id": "PYSEC-2020-19",
  "modified": "2021-05-04T00:15:00Z",
  "published": "2020-09-17T14:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4pwq-fj89-6rjc"
    }
  ]
}

GHSA-4PWQ-FJ89-6RJC

Vulnerability from github – Published: 2021-06-18 18:29 – Updated: 2024-09-11 20:04

Summary

Apache Airflow Cross-site Scripting

Details

In Apache Airflow < 1.10.12, the origin parameter passed to some of the endpoints like /trigger and was vulnerable to a XSS exploit.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-03T17:35:39Z",
    "nvd_published_at": "2020-09-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Apache Airflow \u003c 1.10.12, the `origin` parameter passed to some of the endpoints like `/trigger` and was vulnerable to a XSS exploit.",
  "id": "GHSA-4pwq-fj89-6rjc",
  "modified": "2024-09-11T20:04:09Z",
  "published": "2021-06-18T18:29:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13944"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/5c2bb7b0b0e717b11f093910b443243330ad93ca"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4pwq-fj89-6rjc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-19.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Airflow Cross-site Scripting "
}

GSD-2020-13944

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.

Aliases

CVE-2020-13944

Aliases

CVE-2020-13944

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-13944",
    "description": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit.",
    "id": "GSD-2020-13944"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-13944"
      ],
      "details": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit.",
      "id": "GSD-2020-13944",
      "modified": "2023-12-13T01:21:47.390055Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2020-13944",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Airflow",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache Airflow \u003c 1.10.12"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-users] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-dev] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-users] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
          },
          {
            "name": "[oss-security] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
          },
          {
            "name": "[announce] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
          },
          {
            "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
          },
          {
            "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
          },
          {
            "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.10.12",
          "affected_versions": "All versions before 1.10.12",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-05-04",
          "description": "In Apache Airflow, the `origin` parameter passed to endpoints like `/trigger` is vulnerable to XSS.",
          "fixed_versions": [
            "1.10.12"
          ],
          "identifier": "CVE-2020-13944",
          "identifiers": [
            "CVE-2020-13944"
          ],
          "not_impacted": "All versions starting from 1.10.12",
          "package_slug": "pypi/apache-airflow",
          "pubdate": "2020-09-17",
          "solution": "Upgrade to version 1.10.12 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-13944",
            "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
          ],
          "uuid": "74cf6e37-9c7e-40fd-9858-42b109de395a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.0.2",
                "versionStartIncluding": "2.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.10.15",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-13944"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-users] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
              "refsource": "MLIST",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-users] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
              "refsource": "MLIST",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-dev] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
              "refsource": "MLIST",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20201211 CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
            },
            {
              "name": "[announce] 20201211 Apache Airflow Security Vulnerabilities fixed in v1.10.13: CVE-2020-17515",
              "refsource": "MLIST",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
            },
            {
              "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "refsource": "MLIST",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
            },
            {
              "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "refsource": "MLIST",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-08-06T03:46Z",
      "publishedDate": "2020-09-17T14:15Z"
    }
  }
}

FKIE_CVE-2020-13944

Vulnerability from fkie_nvd - Published: 2020-09-17 14:15 - Updated: 2024-11-21 05:02

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2020/12/11/2	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/05/01/2	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E	Issue Tracking, Mailing List, Vendor Advisory
security@apache.org	https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2020/12/11/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/05/01/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E	Issue Tracking, Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E

Impacted products

	Vendor	Product	Version
	apache	airflow	*
	apache	airflow	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CB32F13-FF76-4E5A-8F2D-D827771E58AE",
              "versionEndExcluding": "1.10.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "498AB796-B84E-4682-BF15-16905DD626AF",
              "versionEndExcluding": "2.0.2",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Apache Airflow \u003c 1.10.12, the \"origin\" parameter passed to some of the endpoints like \u0027/trigger\u0027 was vulnerable to XSS exploit."
    },
    {
      "lang": "es",
      "value": "En Apache Airflow versiones anteriores a 1.10.12, el par\u00e1metro \"origin\" pasado a algunos de los endpoints como \"/trigger\" era vulnerable a una explotaci\u00f3n de un XSS"
    }
  ],
  "id": "CVE-2020-13944",
  "lastModified": "2024-11-21T05:02:12.133",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-09-17T14:15:12.810",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2022-AVI-525

Vulnerability from certfr_avis - Published: 2022-06-08 - Updated: 2022-06-08

De multiples vulnérabilités ont été découvertes dans les produits Fortinet. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Fortinet	FortiManager	FortiManager versions 6.4.x antérieures à 6.4.7
Fortinet	N/A	FortiTokenMobile pour iOS versions 5.3.x antérieures à 5.3.0
Fortinet	N/A	FortiTokenMobile pour Windows versions 4.1.x antérieures à 4.1.0
Fortinet	N/A	FortiTokenMobile pour Android versions 5.1.x antérieures à 5.1.0
Fortinet	FortiOS	FortiOS versions 7.0.x antérieures à 7.0.0
Fortinet	FortiDDoS	FortiDDoS versions antérieures à 5.6.0
Fortinet	FortiAnalyzer	FortiAnalyzer versions 6.4.x antérieures à 6.4.8
Fortinet	FortiSandbox	FortiSandbox versions antérieures à 4.2.0
Fortinet	N/A	FortiClientWindows versions 7.0.x antérieures à 7.0.4
Fortinet	FortiAnalyzer	FortiAnalyzer versions 7.0.x antérieures à 7.0.3
Fortinet	FortiManager	FortiManager versions 7.0.x antérieures à 7.0.2
Fortinet	FortiOS	FortiOS versions 6.4.x antérieures à 6.4.0
Fortinet	N/A	FortiClientWindows versions 6.4.x antérieures à 6.4.8
Fortinet	N/A	FortiAP-U 6.2.4 versions antérieures à 6.2.4
Fortinet	N/A	FortiAuthenticator Agent for Microsoft OWA versions antérieures 2.3

References

Title

Publication Time

CNVD-2020-52628

Vulnerability from cnvd - Published: 2020-09-18

Title

Apache Airflow跨站脚本漏洞（CNVD-2020-52628）

Description

Apache Airflow是一款用于编排复杂计算工作流和数据处理流水线的开源工具。 Apache Airflow 1.10.12之前版本中传递给某些端点的'origin'参数存在跨站脚本漏洞。目前没有详细的漏洞细节提供。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://airflow.apache.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-13944

Impacted products

Name
Apache Airflow <1.10.12

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-13944",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-13944"
    }
  },
  "description": "Apache Airflow\u662f\u4e00\u6b3e\u7528\u4e8e\u7f16\u6392\u590d\u6742\u8ba1\u7b97\u5de5\u4f5c\u6d41\u548c\u6570\u636e\u5904\u7406\u6d41\u6c34\u7ebf\u7684\u5f00\u6e90\u5de5\u5177\u3002\n\nApache Airflow 1.10.12\u4e4b\u524d\u7248\u672c\u4e2d\u4f20\u9012\u7ed9\u67d0\u4e9b\u7aef\u70b9\u7684\u0027origin\u0027\u53c2\u6570\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://airflow.apache.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-52628",
  "openTime": "2020-09-18",
  "products": {
    "product": "Apache Airflow \u003c1.10.12"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-13944",
  "serverity": "\u4e2d",
  "submitTime": "2020-09-18",
  "title": "Apache Airflow\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-52628\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-13944 (GCVE-0-2020-13944)

bit-airflow-2020-13944

Vulnerability from bitnami_vulndb

PYSEC-2020-19

GHSA-4PWQ-FJ89-6RJC

GSD-2020-13944

FKIE_CVE-2020-13944

CERTFR-2022-AVI-525

Solution

CNVD-2020-52628

Tags

Sightings

Nomenclature