CVE-2019-12398
MEDIUM4.8EPSS 0.61%XSS in Apache Airflow
Published: 5/6/2020Modified: 9/3/2024
Description
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
Affected packages (2)
- PyPI/apache-airflowfrom 0, < 1.10.5
- PyPI/apache-airflowfrom 0, < 1.10.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-rjvg-q57v-mjjc
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-12398
- PATCHhttps://github.com/apache/airflow
- WEBhttps://github.com/apache/airflow/blob/1.10.5/CHANGELOG.txt
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-162.yaml
- WEBhttps://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b@%3Cdev.airflow.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
- WEBhttp://www.openwall.com/lists/oss-security/2020/01/14/2