oss-sec mailing list archives

CVE-2019-0216, CVE-2019-0229 vulnerabilities affecting Apache Airflow <= 1.10.2 webserver component

From: Ash Berlin-Taylor <ash () apache org>
Date: Wed, 10 Apr 2019 19:03:42 +0100

There were two vulnerabilities fixed in release of Apache Airflow 1.10.3 affecting the `airflow webserver` service:


CVE-2019-0216: Stored XSS

  Versions Affected: <= 1.10.2

  Description:
  A malicious admin user could edit the state of objects in the  Airflow
  metadata database to execute arbitrary javascript on certain page views.

  Credit:
  Thanks to Nicolas Heiniger ( of photochrome.ch), Matt S, and Francesco
  Soncina (of ABN AMRO), and "Media Rest" for all independently reporting
  this vulnerability.

CVE-2019-0229: Improper CSRF validation against various endpoints
  
  Versions Affected: <= 1.10.2

  Description:
  A number of HTTP endpoints in the Airflow webserver (both RBAC and classic)
  did not have adequate protection and were vulnerable to cross-site request
  forgery attacks.

  Credit:
  Thanks to Erik Mulder at bol.com for reporting this.


(CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some cases of this in the previous fix)

Thanks,
Ash
Apache Airflow PMC member

Current thread:

CVE-2019-0216, CVE-2019-0229 vulnerabilities affecting Apache Airflow <= 1.10.2 webserver component Ash Berlin-Taylor (Apr 10)