====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN030
_____________________________________________________________________

DATE                : 20/01/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to
                                       1.10.5.

=====================================================================
http://mail-archives.apache.org/mod_mbox/airflow-dev/202001.mbox/%3cDCAAED18-E405-402F-B422-171BE104BC23@getmailspring.com%3e
_____________________________________________________________________

Versions Affected:
<= 1.10.4.


Description:
In Apache Airflow before 1.10.5 when running with the "classic" UI, a
malicious admin user could edit the state of
objects in the Airflow metadata database to execute arbitrary javascript
on certain page views. The new "RBAC" UI is
unaffected.



Credit:
This issue was discovered by "Venkat"/yvreddy

(Sorry for the delay in reporting this in a timely manner. It was fixed
in 1.10.5 which was released 2019-09-04)


Thanks,
Ash, on behalf of Apache Airflow PMC

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================