CVE-2019-12398Cross-site Scripting in Apache Airflow

CWE-79Cross-site Scripting5 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.7%
top 27.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Airflow
Timeline
PublishedJan 14
Latest updateMay 6

Description

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

NVDapache/airflow< 1.10.5
CVEListV5apache/airflowApache Airflow <= 1.10.4

🔴Vulnerability Details

4
GHSA
XSS in Apache Airflow2020-05-06
OSV
XSS in Apache Airflow2020-05-06
CVEList
CVE-2019-12398: In Apache Airflow before 12020-01-14
OSV
CVE-2019-12398: In Apache Airflow before 12020-01-14
CVE-2019-12398 — Cross-site Scripting in Apache Airflow | cvebase