airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <...@apache.org>
Subject CVE-2018-20244: Stored XSS in Apache Airflow <= 1.10.1
Date Wed, 23 Jan 2019 10:13:21 GMT
CVE-2018-20244: Stored XSS in Apache Airflow 1.10.1

Vendor: The Apache Software Foundation

Versions Affected: <= 1.10.1

Description:
A malicious admin user could edit the state of objects in the Airflow metadata database to
execute arbitrary javascript on certain page views.

Credit:
This issue was discovered by Michael Cole of Modus Security

Fix:
Upgrade to Airflow 1.10.2
Mime
View raw message