composer/BP_EXT/2023_002

Cloud Composer has higher version than airflow-2.2.3

Product: Cloud Composer
Rule class: BP_EXT - (Extended) Best practice, opinionated recommendation

Description

Cloud Composer has higher version than airflow-2.2.3

Airflow UI in Airflow 2.2.3 or earlier versions is vulnerable to CVE-2021-45229. “Trigger DAG with config” screen was susceptible to XSS attacks through the origin query argument.

Remediation

Upgrade to the latest Cloud Composer version that supports Airflow 2.2.5.

Further information

Known Issue