CVE-2022-43982: Apache Airflow Cross-site Scripting vulnerability

November 2, 2022 (updated September 11, 2024)

In Apache Airflow versions prior to 2.4.2, the “Trigger DAG with config” screen was susceptible to XSS attacks via the origin query argument.

References

github.com/advisories/GHSA-h63r-9xxf-f2c7
github.com/apache/airflow
github.com/apache/airflow/commit/9fb4814d29d934cef3b02fb3b2547f9fb76aaa97
github.com/apache/airflow/pull/27143
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42970.yaml
lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l
nvd.nist.gov/vuln/detail/CVE-2022-43982

Detect and mitigate CVE-2022-43982 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →