CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-32077

High Severity
Apache
SVRS
42/100
CVSSv3
5.4/10
EPSS
0.00546/1

CVE-2024-32077 affects Apache Airflow 2.9.0, allowing authenticated attackers to inject malicious data into task instance logs. This data injection vulnerability could lead to various security risks. The SVRS score is 42, suggesting a moderate level of concern, but should be addressed promptly. While not critical, CVE-2024-32077 can be exploited if left unpatched. Users should upgrade to Apache Airflow version 2.9.1 to mitigate this security risk. Ignoring this vulnerability might lead to compromised log data and potentially broader system exploits. The vendor advisory recommends immediate patching to secure your Airflow instances.

TAGS
Patch
Vendor-advisory
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:L
UI:R
S:C
C:L
I:L
A:N
PUBLICATION DATE2024-05-14
LAST MODIFIED2025-03-27

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-32077 | Apache Airflow up to 2.9.0 Task Instance Log cross site scripting
vuldb.com2025-03-30
CVE-2024-32077 | Apache Airflow up to 2.9.0 Task Instance Log cross site scripting | A vulnerability classified as problematic has been found in Apache Airflow up to 2.9.0. This affects an unknown part of the component Task Instance Log Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-32077. It is possible to initiate the attack remotely
vuldb.com
rss
forum
news
CVE-2024-32077: Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
2024-05-14
CVE-2024-32077: Apache Airflow: XSS vulnerability in Task Instance Log/Log Details | Posted by Ephraim Anierobi on May 14Severity: moderate Affected versions: - Apache Airflow 2.9.0 before 2.9.1 Description: Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.<br
cve-2024-32077
domains
urls
cves
Vulnerability Summary for the Week of May 13, 2024
CISA2024-05-20
; The Themify Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themify_button shortcode in all versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2024-05-14 <a href="https://nvd.nist.gov/cvss.cfm?version=2&amp;name=CVE-2024-4567&amp;vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" target="_blank" title
cve-2023-52695
cve-2024-4231
cve-2024-4968
cve-2024-4666

Social Media

🚨In Apache #Airflow version 2.9.0 a critical security vulnerability CVE-2024-32077 was detected🚨This vulnerability allows attackers to inject data into the task instance logs. To address this issue, users are advised to upgrade to version 2.9.1. #vulnerability #cybersecurity
0
1
1

Affected Software

Configuration 1
TypeVendorProduct
AppApacheairflow

References

ReferenceLink
[email protected]https://github.com/apache/airflow/pull/38882
[email protected]https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77
[email protected]http://www.openwall.com/lists/oss-security/2024/05/14/1
[email protected]https://github.com/apache/airflow/pull/38882
[email protected]https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/05/14/1
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/apache/airflow/pull/38882
AF854A3A-2127-422B-91AE-364DA2661108https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77
[email protected]http://www.openwall.com/lists/oss-security/2024/05/14/1
[email protected]https://github.com/apache/airflow/pull/38882
[email protected]https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/05/14/1
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/apache/airflow/pull/38882
AF854A3A-2127-422B-91AE-364DA2661108https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77
[email protected]http://www.openwall.com/lists/oss-security/2024/05/14/1
[email protected]https://github.com/apache/airflow/pull/38882
[email protected]https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77

CWE Details

CWE IDCWE NameDescription
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence