CVE-2023-29247
Cross-Site Scripting (XSS) vulnerability in apache-airflow (PyPI)
What is CVE-2023-29247 About?
This vulnerability affects Apache Airflow before version 2.6.0, allowing for a stored Cross-Site Scripting (XSS) attack. An attacker can inject malicious scripts into the task instance details page in the UI, which will execute when other users view the page. This can lead to session hijacking, data theft, or defacement of the application.
Affected Software
Technical Details
The task instance details page within the Apache Airflow UI, specifically in versions prior to 2.6.0, is vulnerable to a stored Cross-Site Scripting (XSS) attack. This occurs because user-supplied input that is displayed on this page, or stored and re-rendered by the application, is not properly sanitized or encoded. An attacker can inject malicious JavaScript code into fields or parameters that are subsequently stored and displayed on the task instance details page. When another user views this compromised page, the injected script executes within their browser context. This allows the attacker to steal session cookies, deface the web application, redirect users to malicious sites, or perform actions on behalf of the victim user (e.g., changing settings or triggering DAGs) if their session is active.
What is the Impact of CVE-2023-29247?
Successful exploitation may allow attackers to execute arbitrary scripts in a victim's browser, leading to session hijacking, defacement, unauthorized actions, or information disclosure.
What is the Exploitability of CVE-2023-29247?
Exploitation of this vulnerability requires an authenticated attacker who can submit or modify content that will be displayed on the task instance details page. It is a stored XSS, meaning the malicious payload is persisted on the server, and executed whenever a victim user accesses the vulnerable page. The attack is client-side, targeting other users' browsers. No special privileges are necessarily required beyond the ability to input data into the vulnerable fields. The complexity is low for an authenticated attacker to inject the payload. The risk factor increases in collaborative environments where many users interact with task instance details pages, as more potential victims exist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-29247?
Available Upgrade Options
- apache-airflow
- <2.6.0 → Upgrade to 2.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/30447
- https://github.com/apache/airflow/pull/30447
- https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl
- https://github.com/apache/airflow/commit/f819dfcb24c597058b7b671f6317e4c84976975e
- https://github.com/apache/airflow/pull/30779
- https://github.com/apache/airflow
- https://github.com/apache/airflow/pull/30779
- https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-60.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2023-29247
What are Similar Vulnerabilities to CVE-2023-29247?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2022-26377 , CVE-2022-21971 , CVE-2020-28188 , CVE-2018-19990
