CVE-2017-17836
CRITICAL9.8EPSS 0.44%Apache Airflow vulnerable to XSS
發布日:2019/1/25修改日:2024/9/12
描述
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, weather it be via XSS or by leaving a machine unlocked can exfil all credentials from the system.
受影響套件(2)
- PyPI/apache-airflowfrom 0, < 1.9.0
- PyPI/apache-airflowfrom 0, < 1.9.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://github.com/advisories/GHSA-9gqg-3fxr-9hv7
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-17836
- PATCHhttps://github.com/apache/airflow
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-149.yaml
- WEBhttps://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E