PYSEC-2019-216

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2019-216.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2019-216

Aliases

Published

2019-10-30T22:15:00Z

Modified

2023-11-08T04:01:04.905541Z

Summary

[none]

Details

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.6rc1

Affected versions

1.*

1.8.1

1.8.2rc1

1.8.2

1.9.0

1.10.0

1.10.1b1

1.10.1rc2

1.10.1

1.10.2b2

1.10.2rc1

1.10.2rc2

1.10.2rc3

1.10.2

1.10.3b1

1.10.3b2

1.10.3rc1

1.10.3rc2

1.10.3

1.10.4b2

1.10.4rc1

1.10.4rc2

1.10.4rc3

1.10.4rc4

1.10.4rc5

1.10.4

1.10.5rc1

1.10.5

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2019-216.yaml"