VDB
GCVE-110-CLOUD-2023-0016
GCVE-110-CLOUD-2023-0016
Advisory Published
Amazon Managed Workflows for Apache Airflow (MWAA) and the Task instance details
page in the Google Composer UI were not patched against CVE-2023-29247 (Stored XSS).
This meant that post-authentication, a threat actor could have exploited this
to store their JavaScript payload in the victim's managed Apache Airflow instance
and run JavaScript on behalf of the victim (who could be an admin or another
user with higher permissions than the threat actor, thereby leading to privilege escalation).
With JavaScript, threat actors could have run any operation in the session that the victim
is able to run — edit tasks, read jobs, run jobs, read plugins and configurations,
list connections, add variables and more.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| AWS | Connect | — | — |
| AWS | MWAA, Composer | — | — |
| AWS | Config | — | — |
| GCP | MWAA, Composer | — | — |
| AWS | SES | — | — |
Aliases
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.