Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Jan 2020 11:30:00 +0000
From: Ash Berlin-Taylor <>
To: ""
 "" <>, 
 "" <>
Cc: yvreddy <>, Apache Security Team
Subject: [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in
 classic UI

Versions Affected:
<= 1.10.4.

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.

This issue was discovered by "Venkat"/yvreddy

(Sorry for the delay in reporting this in a timely manner. It was fixed in 1.10.5 which was released 2019-09-04)
on behalf of Apache Airflow PMC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.