Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

CVE-2019-0216, CVE-2019-0229 vulnerabilities affecting Apache Airflow <= 1.10.2 webserver component

Related Vulnerabilities: CVE-2019-0216   CVE-2019-0229   CVE-2018-20244  
Source 
                There were two vulnerabilities fixed in release of Apache Airflow 1.10.3 affecting the `airflow webserver` service:

CVE-2019-0216: Stored XSS

  Versions Affected: &lt;= 1.10.2

  Description:
  A malicious admin user could edit the state of objects in the  Airflow
  metadata database to execute arbitrary javascript on certain page views.

  Credit:
  Thanks to Nicolas Heiniger ( of photochrome.ch), Matt S, and Francesco
  Soncina (of ABN AMRO), and "Media Rest" for all independently reporting
  this vulnerability.

CVE-2019-0229: Improper CSRF validation against various endpoints
  
  Versions Affected: &lt;= 1.10.2

  Description:
  A number of HTTP endpoints in the Airflow webserver (both RBAC and classic)
  did not have adequate protection and were vulnerable to cross-site request
  forgery attacks.

  Credit:
  Thanks to Erik Mulder at bol.com for reporting this.

(CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some cases of this in the previous fix)

Thanks,
Ash
Apache Airflow PMC member

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started