Lucene search

GitHub Advisory DatabaseGHSA-Q3P4-GW7R-WQJC

HistoryNov 22, 2019 - 1:45 p.m.

Apache Airflow vulnerable to XSS and local file disclosure

2019-11-2213:45:22

CWE-79

GitHub Advisory Database

github.com

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.2%

JSON

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

Affected configurations

Vulners

Node

apacheairflowRange<1.10.6

CPENameOperatorVersion
apache-airflowlt1.10.6

CPE	Name	Operator	Version
	apache-airflow	lt	1.10.6

References

github.com/advisories/GHSA-q3p4-gw7r-wqjc

github.com/apache/airflow/commit/fed0d0ee10275c5b0fccdb44a077dfa1f364acb6

lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@%3Cusers.airflow.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2019-12417

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.2%

JSON

Related for GHSA-Q3P4-GW7R-WQJC