CVE-2017-17836: Apache Airflow vulnerable to XSS
(updated )
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, weather it be via XSS or by leaving a machine unlocked can exfil all credentials from the system.
References
- github.com/advisories/GHSA-9gqg-3fxr-9hv7
- github.com/apache/airflow
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-149.yaml
- lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2017-17836
Detect and mitigate CVE-2017-17836 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →