CVE-2020-13944
- Source
- https://cve.org/CVERecord?id=CVE-2020-13944
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13944.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-13944
- Aliases
- Published
- 2020-09-17T14:15:12.810Z
- Modified
- 2026-02-11T12:41:50.498010Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
- References
-
- https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cdev.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a%40%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/11/2
- http://www.openwall.com/lists/oss-security/2021/05/01/2
- https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/11/2
- http://www.openwall.com/lists/oss-security/2021/05/01/2
- https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E
Affected packages
Git / github.com/apache/airflow
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/airflow
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixed
Affected versions
helm-chart/1.*
helm-chart/1.1.0
helm-chart/1.1.0rc1
oss-helm-chart/1.*
oss-helm-chart/1.1.0-rc16.3.12
oss-helm-chart/1.2.0-rc1
providers-airbyte/2.*
providers-airbyte/2.0.0
providers-airbyte/2.1.0
providers-airbyte/2.1.0rc2
providers-airbyte/2.1.1
providers-airbyte/2.1.1rc1
providers-alibaba/1.*
providers-alibaba/1.0.0
providers-alibaba/1.0.0rc1
providers-amazon/2.*
providers-amazon/2.0.0
providers-amazon/2.1.0
providers-amazon/2.1.0rc1
providers-amazon/2.1.0rc2
providers-amazon/2.2.0
providers-amazon/2.2.0rc1
providers-amazon/2.3.0
providers-amazon/2.3.0rc1
providers-amazon/2.3.0rc2
providers-apache-beam/3.*
providers-apache-beam/3.0.0
providers-apache-beam/3.0.1
providers-apache-beam/3.0.1rc1
providers-apache-cassandra/2.*
providers-apache-cassandra/2.0.0
providers-apache-cassandra/2.0.1
providers-apache-cassandra/2.0.1rc1
providers-apache-cassandra/2.1.0
providers-apache-cassandra/2.1.0rc1
providers-apache-drill/1.*
providers-apache-drill/1.0.0
providers-apache-drill/1.0.0rc1
providers-apache-drill/1.0.0rc2
providers-apache-drill/1.0.1
providers-apache-drill/1.0.1rc1
providers-apache-druid/2.*
providers-apache-druid/2.0.0
providers-apache-druid/2.0.1
providers-apache-druid/2.0.1rc2
providers-apache-druid/2.0.2
providers-apache-druid/2.0.2rc1
providers-apache-hdfs/2.*
providers-apache-hdfs/2.0.0
providers-apache-hdfs/2.1.0
providers-apache-hdfs/2.1.0rc1
providers-apache-hdfs/2.1.1
providers-apache-hdfs/2.1.1rc1
providers-apache-hive/2.*
providers-apache-hive/2.0.0
providers-apache-hive/2.0.1
providers-apache-hive/2.0.1rc1
providers-apache-hive/2.0.1rc2
providers-apache-hive/2.0.2
providers-apache-hive/2.0.2rc1
providers-apache-kylin/2.*
providers-apache-kylin/2.0.0
providers-apache-kylin/2.0.1
providers-apache-kylin/2.0.1rc1
providers-apache-livy/2.*
providers-apache-livy/2.0.0
providers-apache-livy/2.1.0
providers-apache-livy/2.1.0rc1
providers-apache-pig/2.*
providers-apache-pig/2.0.0
providers-apache-pig/2.0.1
providers-apache-pig/2.0.1rc1
providers-apache-pinot/2.*
providers-apache-pinot/2.0.0
providers-apache-pinot/2.0.1
providers-apache-pinot/2.0.1rc1
providers-apache-spark/2.*
providers-apache-spark/2.0.0
providers-apache-spark/2.0.1
providers-apache-spark/2.0.1rc1
providers-apache-sqoop/2.*
providers-apache-sqoop/2.0.0
providers-apache-sqoop/2.0.1
providers-apache-sqoop/2.0.1rc1
providers-apache-sqoop/2.0.1rc2
providers-apache-sqoop/2.0.2
providers-apache-sqoop/2.0.2rc1
providers-asana/1.*
providers-asana/1.0.0
providers-asana/1.1.0
providers-asana/1.1.0rc1
providers-celery/2.*
providers-celery/2.0.0
providers-celery/2.1.0
providers-celery/2.1.0rc1
providers-celery/2.1.0rc2
providers-cloudant/2.*
providers-cloudant/2.0.0
providers-cloudant/2.0.1
providers-cloudant/2.0.1rc1
providers-cncf-kubernetes/2.*
providers-cncf-kubernetes/2.0.0
providers-cncf-kubernetes/2.0.1
providers-cncf-kubernetes/2.0.1rc1
providers-cncf-kubernetes/2.0.1rc2
providers-cncf-kubernetes/2.0.2
providers-cncf-kubernetes/2.0.2rc1
providers-cncf-kubernetes/2.0.3
providers-cncf-kubernetes/2.0.3rc1
providers-databricks/2.*
providers-databricks/2.0.0
providers-databricks/2.0.1
providers-databricks/2.0.1rc1
providers-databricks/2.0.2
providers-databricks/2.0.2rc1
providers-datadog/2.*
providers-datadog/2.0.0
providers-datadog/2.0.1
providers-datadog/2.0.1rc1
providers-dingding/2.*
providers-dingding/2.0.0
providers-dingding/2.0.1
providers-dingding/2.0.1rc1
providers-discord/2.*
providers-discord/2.0.0
providers-discord/2.0.1
providers-discord/2.0.1rc1
providers-docker/2.*
providers-docker/2.0.0
providers-docker/2.1.0
providers-docker/2.1.0rc1
providers-docker/2.1.0rc2
providers-docker/2.1.1
providers-docker/2.1.1rc1
providers-docker/2.2.0
providers-docker/2.2.0rc1
providers-elasticsearch/2.*
providers-elasticsearch/2.0.1
providers-elasticsearch/2.0.2rc1
providers-elasticsearch/2.0.2rc2
providers-elasticsearch/2.0.3
providers-elasticsearch/2.0.3rc1
providers-exasol/2.*
providers-exasol/2.0.0
providers-exasol/2.0.1
providers-exasol/2.0.1rc1
providers-facebook/2.*
providers-facebook/2.0.0
providers-facebook/2.0.1
providers-facebook/2.0.1rc1
providers-ftp/2.*
providers-ftp/2.0.0
providers-ftp/2.0.1
providers-ftp/2.0.1rc1
providers-google/4.*
providers-google/4.0.0
providers-google/4.1.0rc1
providers-google/5.*
providers-google/5.0.0
providers-google/5.0.0rc2
providers-google/5.1.0
providers-google/5.1.0rc1
providers-google/6.*
providers-google/6.0.0
providers-google/6.0.0rc1
providers-grpc/2.*
providers-grpc/2.0.0
providers-grpc/2.0.1
providers-grpc/2.0.1rc1
providers-hashicorp/2.*
providers-hashicorp/2.0.0
providers-hashicorp/2.1.0
providers-hashicorp/2.1.0rc1
providers-hashicorp/2.1.0rc2
providers-hashicorp/2.1.1
providers-hashicorp/2.1.1rc1
providers-http/2.*
providers-http/2.0.0
providers-http/2.0.1
providers-http/2.0.1rc1
providers-imap/2.*
providers-imap/2.0.0
providers-imap/2.0.1
providers-imap/2.0.1rc1
providers-influxdb/1.*
providers-influxdb/1.0.0
providers-influxdb/1.0.0rc1
providers-jdbc/2.*
providers-jdbc/2.0.0
providers-jdbc/2.0.1
providers-jdbc/2.0.1rc1
providers-jenkins/2.*
providers-jenkins/2.0.0
providers-jenkins/2.0.1
providers-jenkins/2.0.1rc1
providers-jenkins/2.0.1rc2
providers-jenkins/2.0.2
providers-jenkins/2.0.2rc1
providers-jira/2.*
providers-jira/2.0.0
providers-jira/2.0.1
providers-jira/2.0.1rc1
providers-microsoft-azure/3.*
providers-microsoft-azure/3.0.0
providers-microsoft-azure/3.1.0
providers-microsoft-azure/3.1.0rc1
providers-microsoft-azure/3.1.0rc2
providers-microsoft-azure/3.1.1
providers-microsoft-azure/3.1.1rc1
providers-microsoft-azure/3.2.0
providers-microsoft-azure/3.2.0rc1
providers-microsoft-mssql/2.*
providers-microsoft-mssql/2.0.0
providers-microsoft-mssql/2.0.1
providers-microsoft-mssql/2.0.1rc1
providers-microsoft-psrp/1.*
providers-microsoft-psrp/1.0.0
providers-microsoft-psrp/1.0.0rc1
providers-microsoft-psrp/1.0.1
providers-microsoft-psrp/1.0.1rc1
providers-microsoft-psrp/1.0.1rc2
providers-microsoft-winrm/2.*
providers-microsoft-winrm/2.0.0
providers-microsoft-winrm/2.0.1
providers-microsoft-winrm/2.0.1rc1
providers-mongo/2.*
providers-mongo/2.0.0
providers-mongo/2.1.0
providers-mongo/2.1.0rc1
providers-mysql/2.*
providers-mysql/2.0.0
providers-mysql/2.1.0
providers-mysql/2.1.0rc1
providers-mysql/2.1.0rc2
providers-mysql/2.1.1
providers-mysql/2.1.1rc1
providers-neo4j/2.*
providers-neo4j/2.0.0
providers-neo4j/2.0.1
providers-neo4j/2.0.1rc1
providers-neo4j/2.0.2
providers-neo4j/2.0.2rc1
providers-odbc/2.*
providers-odbc/2.0.0
providers-odbc/2.0.1
providers-odbc/2.0.1rc1
providers-openfaas/2.*
providers-openfaas/2.0.0
providers-opsgenie/2.*
providers-opsgenie/2.0.0
providers-opsgenie/2.0.1
providers-opsgenie/2.0.1rc1
providers-oracle/2.*
providers-oracle/2.0.0
providers-oracle/2.0.1
providers-oracle/2.0.1rc1
providers-pagerduty/2.*
providers-pagerduty/2.0.0
providers-pagerduty/2.0.1
providers-pagerduty/2.0.1rc1
providers-papermill/2.*
providers-papermill/2.0.0
providers-papermill/2.0.1
providers-papermill/2.0.1rc1
providers-papermill/2.1.0
providers-papermill/2.1.0rc1
providers-plexus/2.*
providers-plexus/2.0.0
providers-plexus/2.0.1
providers-plexus/2.0.1rc1
providers-postgres/2.*
providers-postgres/2.0.0
providers-postgres/2.1.0
providers-postgres/2.1.0rc1
providers-postgres/2.1.0rc2
providers-postgres/2.2.0
providers-postgres/2.2.0rc1
providers-postgres/2.3.0
providers-postgres/2.3.0rc1
providers-presto/2.*
providers-presto/2.0.0
providers-presto/2.0.1
providers-presto/2.0.1rc1
providers-qubole/2.*
providers-qubole/2.0.0
providers-qubole/2.0.1
providers-qubole/2.0.1rc1
providers-redis/2.*
providers-redis/2.0.0
providers-redis/2.0.1
providers-redis/2.0.1rc1
providers-salesforce/3.*
providers-salesforce/3.0.0
providers-salesforce/3.1.0
providers-salesforce/3.1.0rc2
providers-salesforce/3.2.0
providers-salesforce/3.2.0rc1
providers-samba/2.*
providers-samba/2.0.0
providers-samba/3.*
providers-samba/3.0.0
providers-samba/3.0.0rc1
providers-segment/2.*
providers-segment/2.0.0
providers-segment/2.0.1
providers-segment/2.0.1rc1
providers-sendgrid/2.*
providers-sendgrid/2.0.0
providers-sendgrid/2.0.1
providers-sendgrid/2.0.1rc1
providers-sftp/2.*
providers-sftp/2.0.0
providers-sftp/2.1.0
providers-sftp/2.1.0rc1
providers-sftp/2.1.0rc2
providers-sftp/2.1.1
providers-sftp/2.1.1rc1
providers-singularity/2.*
providers-singularity/2.0.0
providers-singularity/2.0.1
providers-singularity/2.0.1rc1
providers-slack/4.*
providers-slack/4.0.0
providers-slack/4.0.1
providers-slack/4.0.1rc1
providers-slack/4.1.0
providers-slack/4.1.0rc1
providers-snowflake/2.*
providers-snowflake/2.0.0
providers-snowflake/2.1.0
providers-snowflake/2.1.0rc1
providers-snowflake/2.1.0rc2
providers-snowflake/2.1.1
providers-snowflake/2.1.1rc1
providers-snowflake/2.2.0
providers-snowflake/2.2.0rc1
providers-sqlite/2.*
providers-sqlite/2.0.0
providers-sqlite/2.0.1
providers-sqlite/2.0.1rc1
providers-ssh/2.*
providers-ssh/2.0.0
providers-ssh/2.1.0
providers-ssh/2.1.0rc1
providers-ssh/2.1.0rc2
providers-ssh/2.1.1
providers-ssh/2.1.1rc1
providers-ssh/2.2.0
providers-ssh/2.2.0rc1
providers-tableau/2.*
providers-tableau/2.0.0
providers-tableau/2.1.0
providers-tableau/2.1.0rc1
providers-tableau/2.1.0rc2
providers-tableau/2.1.1
providers-tableau/2.1.1rc1
providers-telegram/2.*
providers-telegram/2.0.0
providers-telegram/2.0.1
providers-telegram/2.0.1rc1
providers-trino/2.*
providers-trino/2.0.0
providers-trino/2.0.1
providers-trino/2.0.1rc1
providers-vertica/2.*
providers-vertica/2.0.0
providers-vertica/2.0.1
providers-vertica/2.0.1rc1
providers-yandex/2.*
providers-yandex/2.0.0
providers-yandex/2.1.0
providers-yandex/2.1.0rc1
providers-zendesk/2.*
providers-zendesk/2.0.0
providers-zendesk/2.0.1
providers-zendesk/2.0.1rc1