Arbitrary JavaScript Execution Vulnerability in Apache Airflow Classic UI

Arbitrary JavaScript Execution Vulnerability in Apache Airflow Classic UI

CVE-2019-12398 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected.

Learn more about our Cis Benchmark Audit For Apache Http Server.