Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <ADC20BCD-A200-4808-B6D3-6A7C339ED840@apache.org>
Date: Wed, 10 Apr 2019 19:03:42 +0100
From: Ash Berlin-Taylor <ash@...che.org>
To: dev@...flow.apache.org,
 oss-security@...ts.openwall.com
Cc: Apache Security Team <security@...che.org>
Subject: CVE-2019-0216, CVE-2019-0229 vulnerabilities affecting  Apache
 Airflow <= 1.10.2  webserver component

There were two vulnerabilities fixed in release of Apache Airflow 1.10.3 affecting the `airflow webserver` service:


CVE-2019-0216: Stored XSS

  Versions Affected: <= 1.10.2

  Description:
  A malicious admin user could edit the state of objects in the  Airflow
  metadata database to execute arbitrary javascript on certain page views.

  Credit:
  Thanks to Nicolas Heiniger ( of photochrome.ch), Matt S, and Francesco
  Soncina (of ABN AMRO), and "Media Rest" for all independently reporting
  this vulnerability.

CVE-2019-0229: Improper CSRF validation against various endpoints
  
  Versions Affected: <= 1.10.2

  Description:
  A number of HTTP endpoints in the Airflow webserver (both RBAC and classic)
  did not have adequate protection and were vulnerable to cross-site request
  forgery attacks.

  Credit:
  Thanks to Erik Mulder at bol.com for reporting this.


(CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some cases of this in the previous fix)

Thanks,
Ash
Apache Airflow PMC member

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.