[<prev] [next>] [day] [month] [year] [list]
Message-Id: <BE259830-444F-44E4-B57E-25CD9D78476F@apache.org>
Date: Wed, 30 Oct 2019 09:06:24 +0000
From: Ash Berlin-Taylor <ash@...che.org>
To: users@...flow.apache.org,
oss-security@...ts.openwall.com
Cc: dev@...flow.apache.org,
Apache Security Team <security@...che.org>,
Pawel.Kurylowicz@...uring.pl,
Frantisek Uhrecky <frantisek.uhrecky@...adelo.com>,
Marek Takac <marek.takac@...adelo.com>
Subject: [CVE-2019-12417] Apache Airflow stored xss and local file disclosure
vulnerability <= 1.10.5
CVE-2019-12417: Stored XSS and Local File Disclosure vulnerability
Versions Affected:
<= 1.10.5
Description:
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
Credit:
Thanks to Pawel.Kurylowicz (of securing.pl), and Frantisek Uhrecky and Marek Takac (both of citadelo.com) for all independently reporting this vulnerability.
Thanks,
Ash
Apache Airflow PMC member
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
