PT-2019-8250 · Apache · Apache Airflow

Published

2019-01-23

Updated

2019-04-19

CVE-2017-17836

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 1.8.2 and earlier

Description The issue allows an attacker with limited access to Airflow to exfiltrate all credentials from the system. This can occur through various means, such as XSS or by gaining physical access to an unlocked machine. The experimental Airflow feature in question displays authenticated cookies and passwords to databases used by Airflow, thus facilitating the exfiltration of sensitive information.

Recommendations For Apache Airflow versions 1.8.2 and earlier, consider disabling the experimental feature that displays authenticated cookies and database passwords as a temporary workaround until a patch is available. Restrict access to the Airflow system to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-255

Related Identifiers

CVE-2017-17836

GHSA-9GQG-3FXR-9HV7

PYSEC-2019-149

Affected Products

Apache Airflow

PT-2019-8250 · Apache · Apache Airflow

CVE-2017-17836

Weakness Enumeration

Related Identifiers

Affected Products

References · 9