CVE-2024-32077 – CVE-2024-32077 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2024-32077?

CVE-2024-32077 has a CVSS score of 5.4 (MEDIUM). CVE-2024-32077 is a cross-site scripting (XSS) vulnerability in Apache Airflow 2.9.0 that allows authenticated attackers to inject malicious scripts into task instance logs. When viewed by administrators or other users, these scripts execute in their browser context, potentially leading to session hijacking or unauthorized actions. This affects all Apache Airflow 2.9.0 deployments with authenticated user access.

📋 TL;DR

CVE-2024-32077 is a cross-site scripting (XSS) vulnerability in Apache Airflow 2.9.0 that allows authenticated attackers to inject malicious scripts into task instance logs. When viewed by administrators or other users, these scripts execute in their browser context, potentially leading to session hijacking or unauthorized actions. This affects all Apache Airflow 2.9.0 deployments with authenticated user access.

💻 Affected Systems

Products:

Apache Airflow

Versions: Version 2.9.0 only

Operating Systems: All operating systems running Apache Airflow

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Apache Airflow 2.9.0; earlier versions are not vulnerable. Requires authenticated user access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could steal administrator session cookies, perform actions as administrators, or redirect users to malicious sites, potentially leading to full system compromise.

🟠

Likely Case

Attackers with authenticated access inject malicious scripts into logs that execute when viewed by other users, leading to session hijacking or limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are rendered harmless as text rather than executable code.

🌐 Internet-Facing: MEDIUM - Internet-facing Airflow instances are at risk if attackers can authenticate, but exploitation requires authenticated access.

🏢 Internal Only: MEDIUM - Internal deployments are still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Airflow. The vulnerability is in log rendering, making exploitation straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.1

Vendor Advisory: https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Stop all Airflow services. 3. Upgrade Airflow using pip: 'pip install --upgrade apache-airflow==2.9.1'. 4. Run database migrations: 'airflow db upgrade'. 5. Restart all Airflow services.

🔧 Temporary Workarounds

Disable log viewing for non-administrators

all

Restrict access to task instance logs to administrators only to reduce attack surface.

Configure Airflow RBAC to limit 'can_log' permission to admin role only

Implement Content Security Policy (CSP)

all

Add CSP headers to prevent execution of injected scripts.

Add 'Content-Security-Policy: default-src 'self'' to web server configuration

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-controlled data in logs
Monitor and audit log access patterns for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: 'airflow version' should show 2.9.0 if vulnerable.

Check Version:

airflow version

Verify Fix Applied:

After upgrade, verify version: 'airflow version' should show 2.9.1 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in task instance logs
Multiple failed log injection attempts

Network Indicators:

Unexpected outbound connections from Airflow web interface to external domains

SIEM Query:

source="airflow" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-32077

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: May 14, 2024

Last Updated: March 27, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/05/14/1 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/38882 Issue Tracking,Patch
https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/05/14/1 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/38882 Issue Tracking,Patch
https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77 Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32077, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Airflow by Apache

Airflow by Apache

Airflow by Apache

Airflow by Apache

Airflow by Apache

Airflow by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable log viewing for non-administrators

Implement Content Security Policy (CSP)

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities