airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <...@apache.org>
Subject CVE-2019-0216, CVE-2019-0229 vulnerabilities affecting Apache Airflow <= 1.10.2 webserver component
Date Wed, 10 Apr 2019 18:03:42 GMT
There were two vulnerabilities fixed in release of Apache Airflow 1.10.3 affecting the `airflow
webserver` service:


CVE-2019-0216: Stored XSS

  Versions Affected: <= 1.10.2

  Description:
  A malicious admin user could edit the state of objects in the  Airflow
  metadata database to execute arbitrary javascript on certain page views.

  Credit:
  Thanks to Nicolas Heiniger ( of photochrome.ch), Matt S, and Francesco
  Soncina (of ABN AMRO), and "Media Rest" for all independently reporting
  this vulnerability.

CVE-2019-0229: Improper CSRF validation against various endpoints
  
  Versions Affected: <= 1.10.2

  Description:
  A number of HTTP endpoints in the Airflow webserver (both RBAC and classic)
  did not have adequate protection and were vulnerable to cross-site request
  forgery attacks.

  Credit:
  Thanks to Erik Mulder at bol.com for reporting this.


(CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some cases of this in the
previous fix)

Thanks,
Ash
Apache Airflow PMC member
Mime
View raw message