composer/BP_EXT/2023_002

Cloud Composer has higher version than airflow-2.2.3

Product: Cloud Composer
Rule class: BP_EXT - (Extended) Best practice, opinionated recommendation

Description

Cloud Composer has higher version than airflow-2.2.3

Airflow UI in Airflow 2.2.3 or earlier versions is vulnerable to CVE-2021-45229. “Trigger DAG with config” screen was susceptible to XSS attacks through the origin query argument.

Remediation

Upgrade to the latest Cloud Composer version that supports Airflow 2.2.5.

Further information