Apache Airflow vulnerable to XSS · CVE-2017-17836 · GitHub Advisory Database · GitHub

Apache Airflow vulnerable to XSS

Critical severity GitHub Reviewed Published Jan 25, 2019 to the GitHub Advisory Database • Updated Aug 30, 2023

Package

apache-airflow (pip)

Affected versions

<= 1.8.2

Patched versions

1.9.0

Description

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, weather it be via XSS or by leaving a machine unlocked can exfil all credentials from the system.

References

Published to the GitHub Advisory Database Jan 25, 2019

Reviewed Jun 16, 2020

Last updated Aug 30, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H