Arbitrary JavaScript Execution and Local File Disclosure Vulnerability in Airflow Metadata Database

Arbitrary JavaScript Execution and Local File Disclosure Vulnerability in Airflow Metadata Database

CVE-2019-12417 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

Learn more about our Web App Pen Testing.