[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DCAAED18-E405-402F-B422-171BE104BC23@getmailspring.com>
Date: Tue, 14 Jan 2020 11:30:00 +0000
From: Ash Berlin-Taylor <ash@...che.org>
To: "oss-security@...ts.openwall.com"
<oss-security@...ts.openwall.com>,
"users@...flow.apache.org" <users@...flow.apache.org>,
"dev@...flow.apache.org" <dev@...flow.apache.org>
Cc: yvreddy <yvreddyln@...il.com>, Apache Security Team
<security@...che.org>
Subject: [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in
classic UI
Versions Affected:
<= 1.10.4.
Description:
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
Credit:
This issue was discovered by "Venkat"/yvreddy
(Sorry for the delay in reporting this in a timely manner. It was fixed in 1.10.5 which was released 2019-09-04)
Thanks,
Ash,
on behalf of Apache Airflow PMC
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
