CVE-2024-39863
Injection vulnerability in apache-airflow (PyPI)
What is CVE-2024-39863 About?
This vulnerability in Apache Airflow allows an authenticated attacker to inject a malicious link during provider installation. Such injection could lead to various malicious activities, including phishing or cross-site scripting, impacting user trust and data integrity. Exploitation requires prior authentication, making it moderately difficult.
Affected Software
Technical Details
The vulnerability stems from insufficient sanitization of user-supplied input during the installation of a provider in Apache Airflow versions before 2.9.3. An authenticated attacker can craft a malicious input string containing an arbitrary URL or script, which is then rendered or executed within the Airflow interface when the provider is installed. This malicious link injection allows for drive-by downloads, redirection to attacker-controlled sites, or XSS through embedded script execution, compromising user sessions or leading to further exploitation.
What is the Impact of CVE-2024-39863?
Successful exploitation may allow attackers to redirect users to malicious websites, execute arbitrary client-side scripts, deface web content, or phish credentials.
What is the Exploitability of CVE-2024-39863?
Exploitation of this vulnerability requires an authenticated attacker. The complexity is moderate as it involves crafting a specific malicious link within the context of provider installation. Remote access is possible once authenticated to the Airflow instance, and no special privileges beyond standard authenticated user access are required. The likelihood of exploitation increases if users frequently install unverified or third-party providers, or if Airflow instances are exposed with easily guessable credentials for authenticated users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-39863?
Available Upgrade Options
- apache-airflow
- <2.9.3 → Upgrade to 2.9.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
- https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58
- http://www.openwall.com/lists/oss-security/2024/07/16/6
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/PYSEC-2024-189
- https://github.com/apache/airflow/pull/40475
- http://www.openwall.com/lists/oss-security/2024/07/16/6
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml
- https://github.com/apache/airflow/pull/40475
- https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
What are Similar Vulnerabilities to CVE-2024-39863?
Similar Vulnerabilities: CVE-2023-37903 , CVE-2023-45815 , CVE-2023-49089 , CVE-2023-34326 , CVE-2023-32692
