CVE-2024-32077
Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
5.4
MEDIUM
CVSS 3.1
EPSS 3.4%
Description
Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.
How to fix CVE-2024-32077
To remediate CVE-2024-32077, upgrade the affected package to a fixed version below.
- Bitnami/airflow—upgrade to 2.9.1 or later
- —upgrade to 2.9.1 or later
- —no fix listed
Is CVE-2024-32077 being exploited?
Low — EPSS is 3.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 2.9.0, < 2.9.1
- >= 2.9.0, < 2.9.1
- from 0, <= 2.9.0-NA, <= 2.9.0-beta1, <= 2.9.0-beta2, <= 2.9.0-rc1, <= 2.9.0-rc2, <= 2.9.0-rc3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |