Cyber Resilience

CVE-2022-45402

Medium

Published: 15 November 2022

Published
15 November 2022
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0636 91.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-45402 is a medium-severity Open Redirect (CWE-601) vulnerability in Apache Airflow. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

In Apache Airflow versions prior to 2.4.3, an open redirect vulnerability (CWE-601) existed in the webserver's /login endpoint. The flaw carried a CVSS 3.1 score of 6.1 and allowed manipulation of redirect targets without authentication.

An unauthenticated attacker could craft a malicious link that, when visited by a user, causes the Airflow login flow to redirect the victim to an attacker-controlled site. Successful exploitation could result in limited impacts to confidentiality and integrity through phishing or credential-harvesting pages while requiring user interaction to trigger.

Public advisories and the referenced Apache security lists direct users to upgrade to Airflow 2.4.3 or later; the fix is also available via the merged pull request 27576 that closes the redirect vector in the login handler. The associated EPSS score has remained flat at 0.0636 with no material increase since disclosure.

EU & UK References

Vulnerability details

In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
airflow
≤ 2.4.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References