Vulnerability in Apache Airflow

CVE-2019-12398

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffec…

EPSS: 0.006 (68.8th percentile) — read the EPSS interpretation.

Affected products

Apache Airflow — versions Apache Airflow <= 1.10.4

References

[airflow-dev] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI (mailing-list, x_refsource_MLIST)
[oss-security] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI (mailing-list, x_refsource_MLIST)
[airflow-users] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI (mailing-list, x_refsource_MLIST)