Apache Airflow

CVE-2019-12417Apache Airflow <= 1.10.5 XSS and Local File Disclosure.

 

Vulnerability description:

Incorrect Fileloc validation for the selected item allows you to send JavaScript code that will undergo server validation, will be saved in the database, and then may be displayed by another user after entering the specific section. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

 

CVSS Base Score4.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

 

Affected Products and Versions

Apache Airflow <= 1.10.5.

 

Remediation/Fixes

Upgrade to the latest version.

https://lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@<users.airflow.apache.org>

https://nvd.nist.gov/vuln/detail/CVE-2019-12417

 

Paweł Kuryłowicz

Other articles