VDB

GCVE-110-CLOUD-2023-0016

GCVE-110-CLOUD-2023-0016
Advisory Published
Vulnetix · Advisory published November 2, 2023
Amazon Managed Workflows for Apache Airflow (MWAA) and the Task instance details page in the Google Composer UI were not patched against CVE-2023-29247 (Stored XSS). This meant that post-authentication, a threat actor could have exploited this to store their JavaScript payload in the victim's managed Apache Airflow instance and run JavaScript on behalf of the victim (who could be an admin or another user with higher permissions than the threat actor, thereby leading to privilege escalation). With JavaScript, threat actors could have run any operation in the session that the victim is able to run — edit tasks, read jobs, run jobs, read plugins and configurations, list connections, add variables and more.

Affected Products

VendorProductVersionsPlatforms
AWSConnect
AWSMWAA, Composer
AWSConfig
GCPMWAA, Composer
AWSSES

References

ApatchMe
advisory
advisory
advisory

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›