CVE-2023-47265: 
Apache Airflow vulnerability analysis and mitigation

CVE-2023-47265 affects Apache Airflow versions 2.6.0 through 2.7.3. The vulnerability was discovered by Jens Scheffler and Andrey Anshin, and was disclosed on December 21, 2023. This security issue involves a stored Cross-Site Scripting (XSS) vulnerability that affects the parameter description field of DAGs (Directed Acyclic Graphs) in Apache Airflow (OSS Security, NVD).

The vulnerability is a stored XSS issue that allows DAG authors to inject unbounded and unsanitized JavaScript code in the parameter description field of the DAG. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

While the vulnerability does not allow attackers to escape the browser sandbox or manipulate server-side data beyond the DAG author's existing permissions, it enables modification of what users see when viewing DAG details in the browser. This creates opportunities for misleading other users through manipulated display content (OSS Security).

Users are recommended to upgrade to Apache Airflow version 2.8.0 or newer to mitigate this vulnerability. The fix includes making raw HTML descriptions configurable and introducing a new configuration option 'allow_html_in_dag_docs' which defaults to False. Additionally, Markdown is now supported for parameter descriptions as a safer alternative to raw HTML (GitHub PR).