====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN090

_____________________________________________________________________

DATE                : 11/04/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to
                                             19.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/airflow-dev/201904.mbox/%3cADC20BCD-A200-4808-B6D3-6A7C339ED840@apache.org%3e
_____________________________________________________________________

There were two vulnerabilities fixed in release of Apache Airflow 1.10.3
affecting the `airflow webserver` service:


CVE-2019-0216: Stored XSS

  Versions Affected: <= 1.10.2

  Description:
  A malicious admin user could edit the state of objects in the  Airflow
  metadata database to execute arbitrary javascript on certain page views.

  Credit:
  Thanks to Nicolas Heiniger ( of photochrome.ch), Matt S, and Francesco
  Soncina (of ABN AMRO), and "Media Rest" for all independently reporting
  this vulnerability.

CVE-2019-0229: Improper CSRF validation against various endpoints

  Versions Affected: <= 1.10.2

  Description:
  A number of HTTP endpoints in the Airflow webserver (both RBAC and
classic)
  did not have adequate protection and were vulnerable to cross-site request
  forgery attacks.

  Credit:
  Thanks to Erik Mulder at bol.com for reporting this.


(CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some
cases of this in the previous fix)

Thanks,
Ash Apache Airflow PMC member

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================