CVE-2017-17836

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 1.8.2 and earlier

Description The issue allows an attacker with limited access to Airflow to exfiltrate all credentials from the system. This can occur through various means, such as XSS or by gaining physical access to an unlocked machine. The experimental Airflow feature in question displays authenticated cookies and passwords to databases used by Airflow, thus facilitating the exfiltration of sensitive information.

Recommendations For Apache Airflow versions 1.8.2 and earlier, consider disabling the experimental feature that displays authenticated cookies and database passwords as a temporary workaround until a patch is available. Restrict access to the Airflow system to minimize the risk of exploitation.