CVE-2017-17836

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2017-17836

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-17836.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-17836

Aliases

Published

2019-01-23T17:29:00.367Z

Modified

2026-04-10T03:58:58.158297Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.

References

https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57%40%3Cdev.airflow.apache.org%3E

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type

GIT

Repo

https://github.com/apache/airflow

Events

Introduced

Last affected

0eb7862730c68d25ebbabf1988d66d50dd988bb0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.8.2"
        }
    ]
}

Affected versions

0.*

0.1

0.11

0.2

0.2.1

0.2.2

0.2.3

0.3

0.3.1

0.3.2

0.4

0.4.1

0.4.2

0.4.3

0.4.5

0.5.0

1.*

1.0.1

1.1.0

1.1.1

1.2.0

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.6.1

1.7.0rc1

1.7.1rc1

1.8.2

1.8.2rc1

1.8.2rc2

1.8.2rc3

1.8.2rc4

airbnb_1.*

airbnb_1.7.1rc1

airbnb_1.7.1rc10

airbnb_1.7.1rc3

airbnb_prod.*

airbnb_prod.1.6.1.0

airbnb_prod.1.6.1.1

airbnb_prod.1.6.1.2

airbnb_prod.1.6.1.3

airbnb_prod.1.6.1.4

airbnb_prod.1.6.1.5

airbnb_prod.1.6.2.4

airbnb_prod.1.6.2.5

airbnb_prod.1.6.2.7

airbnb_prod.1.6.2.8

airbnb_prod.1.6.2.9

v1.*

v1.8.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-17836.json"