CVE-2019-12398
N/A
N/A
Summary
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache | Airflow | Apache Airflow <= 1.10.4 | affected |
Weaknesses
- Stored XSS
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cdev.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/01/14/2
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
References
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cdev.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/01/14/2
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.