CVE-2017-17836: XSS
First published: Wed Jan 23 2019(Updated: )
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, weather it be via XSS or by leaving a machine unlocked can exfil all credentials from the system.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/apache-airflow | <=1.8.2 | 1.9.0 |
| <=1.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-17836
- https://github.com/advisories/GHSA-9gqg-3fxr-9hv7 (Advisory)
- https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E
- https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57%40%3Cdev.airflow.apache.org%3E
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-149.yaml
- collector/github-advisory
- alias/GHSA-9gqg-3fxr-9hv7
- alias/CVE-2017-17836
- collector/nvd-index
- agent/author
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/first-publish-date
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- package-manager/pip
- vendor/apache
- canonical/apache airflow
- version/apache airflow/1.8.2