CVE-2018-1000843

Name of the Vulnerable Software and Affected Versions Luigi versions prior to 2.8.0

Description The issue concerns a Cross-Site Request Forgery (CSRF) vulnerability in the API endpoint: /api/<method>. This vulnerability can result in Task metadata, such as task name, id, parameter, etc., being leaked to unauthorized users. The attack appears to be exploitable via a specially crafted webpage that the victim must visit from the network where their Luigi server is accessible.

Recommendations For Luigi versions prior to 2.8.0, update to version 2.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /api/<method> API endpoint to minimize the risk of exploitation.