CVE-2017-17836 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=0 <1.9.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00578 pctl0.67888

Details

Apache Airflow vulnerable to XSS In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, weather it be via XSS or by leaving a machine unlocked can exfil all credentials from the system.

Metadata

Created: 2019-01-25T16:19:09Z
Modified: 2024-09-12T20:12:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9gqg-3fxr-9hv7
Finding: F425
Auto approve: 1