Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 1.10.5

Description A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views when running with the "classic" UI. The new "RBAC" UI is unaffected.

Recommendations For versions prior to 1.10.5, update to version 1.10.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "classic" UI until the update is applied.