CVE-2024-41937
Apache Airflow Cross-site Scripting Vulnerability
6.1
MEDIUM
CVSS 3.1
EPSS 1.1%
Description
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
How to fix CVE-2024-41937
To remediate CVE-2024-41937, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.0 or later
- —upgrade to 2.10.0 or later
- —upgrade to 2.10.0 or later
Is CVE-2024-41937 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.10.0
- from 0, < 2.10.0
- from 0, < 2.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |