airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <>
Subject CVE-2019-0216, CVE-2019-0229 vulnerabilities affecting Apache Airflow <= 1.10.2 webserver component
Date Wed, 10 Apr 2019 18:03:42 GMT
There were two vulnerabilities fixed in release of Apache Airflow 1.10.3 affecting the `airflow
webserver` service:

CVE-2019-0216: Stored XSS

  Versions Affected: <= 1.10.2

  A malicious admin user could edit the state of objects in the  Airflow
  metadata database to execute arbitrary javascript on certain page views.

  Thanks to Nicolas Heiniger ( of, Matt S, and Francesco
  Soncina (of ABN AMRO), and "Media Rest" for all independently reporting
  this vulnerability.

CVE-2019-0229: Improper CSRF validation against various endpoints
  Versions Affected: <= 1.10.2

  A number of HTTP endpoints in the Airflow webserver (both RBAC and classic)
  did not have adequate protection and were vulnerable to cross-site request
  forgery attacks.

  Thanks to Erik Mulder at for reporting this.

(CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some cases of this in the
previous fix)

Apache Airflow PMC member
View raw message