Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <BE259830-444F-44E4-B57E-25CD9D78476F@apache.org>
Date: Wed, 30 Oct 2019 09:06:24 +0000
From: Ash Berlin-Taylor <ash@...che.org>
To: users@...flow.apache.org,
 oss-security@...ts.openwall.com
Cc: dev@...flow.apache.org,
 Apache Security Team <security@...che.org>,
 Pawel.Kurylowicz@...uring.pl,
 Frantisek Uhrecky <frantisek.uhrecky@...adelo.com>,
 Marek Takac <marek.takac@...adelo.com>
Subject: [CVE-2019-12417] Apache Airflow stored xss and local file disclosure
 vulnerability <= 1.10.5 

CVE-2019-12417: Stored XSS and Local File Disclosure vulnerability 

  Versions Affected:
  <= 1.10.5

  Description:
    A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

  Credit:
    Thanks to Pawel.Kurylowicz (of securing.pl), and Frantisek Uhrecky and Marek Takac (both of citadelo.com) for all independently reporting this vulnerability. 
 
Thanks,
Ash
Apache Airflow PMC member

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.