Miggo Logo
Miggo Vulnerability Database
CVE-2021-45229

CVE-2021-45229: Apache Airflow Cross-site Scripting Vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-45229
GHSA ID
GHSA-65xw-pcqw-hjrh
EPSS Score
0.88892%
CWE
CWE-79
Published
2/26/2022
Updated
9/12/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflowpip>= 0, < 2.2.4rc12.2.4rc1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe handling of the 'origin' parameter in the 'airflow/www/templates/airflow/trigger.html' template, not from a specific function. The pre-patch code injected the 'origin' value directly into a JavaScript context (onclick handler) without proper escaping. The fix replaced the JavaScript-based button with an HTML anchor tag, leveraging template auto-escaping. No backend functions were explicitly modified in the provided patch, and the primary issue was in template rendering logic rather than a discrete function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s *is*ov*r** t**t t** "Tri***r *** wit* *on*i*" s*r**n w*s sus**pti*l* to XSS *tt**ks vi* t** `ori*in` qu*ry *r*um*nt. T*is issu* *****ts *p**** *ir*low v*rsions *.*.* *n* **low.

Reasoning

T** vuln*r**ility st*ms *rom uns*** **n*lin* o* t** 'ori*in' p*r*m*t*r in t** '*ir*low/www/t*mpl*t*s/*ir*low/tri***r.*tml' t*mpl*t*, not *rom * sp**i*i* `*un*tion`. T** pr*-p*t** *o** inj**t** t** 'ori*in' v*lu* *ir**tly into * J*v*S*ript *ont*xt (on
Airflow Trigger DAG Config XSS | Miggo