CVE-2019-12398
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | apache-airflow | <1.10.5 | 1.10.5 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-12398
- https://github.com/apache/airflow
- https://github.com/apache/airflow/blob/1.10.5/CHANGELOG.txt
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-162.yaml
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b@%3Cdev.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/01/14/2
- https://github.com/advisories/GHSA-rjvg-q57v-mjjc
Verify integrity in audit chain (admin only). AS-IS.