There were two vulnerabilities fixed in release of Apache Airflow 1.10.3 affecting the `airflow webserver` service:
CVE-2019-0216: Stored XSS
Versions Affected: <= 1.10.2
Description:
A malicious admin user could edit the state of objects in the Airflow
metadata database to execute arbitrary javascript on certain page views.
Credit:
Thanks to Nicolas Heiniger ( of photochrome.ch), Matt S, and Francesco
Soncina (of ABN AMRO), and "Media Rest" for all independently reporting
this vulnerability.
CVE-2019-0229: Improper CSRF validation against various endpoints
Versions Affected: <= 1.10.2
Description:
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic)
did not have adequate protection and were vulnerable to cross-site request
forgery attacks.
Credit:
Thanks to Erik Mulder at bol.com for reporting this.
(CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some cases of this in the previous fix)
Thanks,
Ash
Apache Airflow PMC member