Vulnerability Description
In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 1.10.5 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2020/01/14/2Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72aMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2020/01/14/2Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a
- https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72aMailing ListVendor Advisory
FAQ
What is CVE-2019-12398?
CVE-2019-12398 is a vulnerability with a CVSS score of 4.8 (MEDIUM). In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain p...
How severe is CVE-2019-12398?
CVE-2019-12398 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12398?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.