CVE-2017-17836Cross-site Scripting in Apache Airflow

CWE-255CWE-79Cross-site Scripting5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 36.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache AirflowApache Software Foundation Apache Airflow
Timeline
PublishedJan 23
Latest updateJan 25

Description

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDapache/airflow1.8.2
CVEListV5apache_software_foundation/apache_airflowApache Airflow <= 1.8.2

🔴Vulnerability Details

4
OSV
Apache Airflow vulnerable to XSS2019-01-25
GHSA
Apache Airflow vulnerable to XSS2019-01-25
CVEList
CVE-2017-17836: In Apache Airflow 12019-01-23
OSV
CVE-2017-17836: In Apache Airflow 12019-01-23
CVE-2017-17836 — Cross-site Scripting in Apache Airflow | cvebase