A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process
Reporter | Title | Published | Views | Family All 7 |
---|---|---|---|---|
OSV | Apache Airflow vulnerable to XSS and local file disclosure | 22 Nov 201913:45 | – | osv |
OSV | PYSEC-2019-216 | 30 Oct 201922:15 | – | osv |
Veracode | Cross-Site Scripting (XSS) | 31 Oct 201902:21 | – | veracode |
Cvelist | CVE-2019-12417 | 30 Oct 201921:04 | – | cvelist |
Github Security Blog | Apache Airflow vulnerable to XSS and local file disclosure | 22 Nov 201913:45 | – | github |
NVD | CVE-2019-12417 | 30 Oct 201922:15 | – | nvd |
Prion | Arbitrary file deletion | 30 Oct 201922:15 | – | prion |
[
{
"product": "Apache Airflow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Airflow up to 1.10.5"
}
]
}
]
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo