We use cookies to improve your experience on our site.
AVID-2026-R0930
Description
Apache Airflow: Reflected XSS via Origin Query Argument in URL (CVE-2021-45229)
Details
It was discovered that the “Trigger DAG with config” screen was susceptible to XSS attacks via the origin query argument. This issue affects Apache Airflow versions 2.2.3 and below.
Reason for inclusion in AVID: CVE-2021-45229 describes a reflected XSS vulnerability in Apache Airflow’s web UI (Origin query parameter) affecting versions <= 2.2.3. Apache Airflow is a widely used component for orchestrating ML/data pipelines, deployment, and runtime workflows in AI systems. As such, a security vulnerability in Airflow constitutes a software supply chain issue relevant to AI systems, and the report provides explicit vulnerability behavior and affected versions with references.
References
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-79 | CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-02-25
- Version: 0.3.3
- AVID Entry