Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThmZzQtajU2Mi1tanJj
Improper Input Validation in Apache Airflow resulting in Remote Code Execution
In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.
Permalink: https://github.com/advisories/GHSA-8fg4-j562-mjrcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThmZzQtajU2Mi1tanJj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 5 years ago
Updated: about 2 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8fg4-j562-mjrc, CVE-2017-15720
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15720
- https://github.com/advisories/GHSA-8fg4-j562-mjrc
- https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E
- https://github.com/apache/airflow/commit/04cacdd0a7526927137b452f38c3e894a5d2ce4a
- https://github.com/apache/airflow/commit/daa281c0364609d6812921123cf47e4118b40484
Blast Radius: 28.1
Affected Packages
pypi:apache-airflow
Dependent packages: 265Dependent repositories: 1,554
Downloads: 25,438,275 last month
Affected Version Ranges: <= 1.8.2
Fixed in: 1.9.0
All affected versions: 1.8.1, 1.8.2
All unaffected versions: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0