==================================================================== CERT-Renater Note d'Information No. 2020/VULN681 _____________________________________________________________________ DATE : 11/12/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systemss running Apache Airflow versions prior to 1.10.14. ===================================================================== http://mail-archives.apache.org/mod_mbox/airflow-users/202012.mbox/%3cCAH5JyZrtawoGzRYWO+CicB9FY5DM740+RxDmt2pEn_fM3TctLw@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/airflow-users/202012.mbox/%3cCAH5JyZpTnHka4PZFR60QKx_53NJsKVAYyYKHxe5Ro2P+ZgQEhg@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/airflow-users/202012.mbox/%3cCAH5JyZppNAdEWSjZo5d50Yy5O1pvc-UUksHf4NPmamqguyH_+Q@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/airflow-users/202012.mbox/%3cCAH5JyZqH4+B=Ks7ReQFOb0wRCeesDQNxNmR5mpWtYyOuChdSCA@mail.gmail.com%3e _____________________________________________________________________ Hi Airflow community, Please find below the information about vulnerability which has been addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I would recommend users to upgrade to Airflow 1.10.14 (released yesterday): *CVE-2020-17515: Apache Airflow Reflected XSS via Origin Parameter* The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.12 did not fix the issue completely. Reported by Ali Al-Habsi of Accellion Thanks. Kaxil @ Airflow PMC _____________________________________________________________________ Versions Affected: < 1.10.13 Description: The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. Credit: Ali Al-Habsi of Accellion Thanks, Kaxil, on behalf of Apache Airflow PMC _____________________________________________________________________ Versions Affected: < 1.10.13 Description: In Airflow < 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field. Credit: Ali Al-Habsi of Accellion Thanks, Kaxil, on behalf of Apache Airflow PMC _____________________________________________________________________ Hi Airflow community, Please find below the information about a vulnerability which has been addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I would recommend users to upgrade to Airflow 1.10.14 (released yesterday): *CVE-2020-17513: Apache Airflow Server-Side Request Forgery (SSRF) in Charts & Query View* *Description*: In Airflow < 1.10.13, The Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. Thanks. Kaxil @ Airflow PMC ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================