{"id":"CVE-2024-32077","summary":"Apache Airflow: XSS vulnerability in Task Instance Log/Log Details","details":"Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. \nUsers are recommended to upgrade to version 2.9.1, which fixes this issue.","aliases":["BIT-airflow-2024-32077","GHSA-52gm-qmg3-r4qp","PYSEC-2024-264"],"modified":"2026-05-28T03:55:53.067905967Z","published":"2024-05-14T10:43:20.299Z","database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"apache","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32077.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/05/14/1"},{"type":"WEB","url":"https://pypi.python.org"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32077.json"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32077"},{"type":"FIX","url":"https://github.com/apache/airflow/pull/38882"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/airflow","events":[{"introduced":"e61cb8fa41f34bc5e3140a2c22b24dd110b4c421"},{"fixed":"9cb7c47ff2b89890a3eb716cf2a174ee71ef0af3"}]}],"versions":["python-client-2.9.3rc1","2.9.3rc1","2.9.3","2.9.2rc1","2.9.2","2.9.1rc2","2.9.1","2.9.1rc1","python-client-2.9.0rc1","python-client-2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32077.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}