Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc2ajQtM2doMi05ZjVq

High CVSS: 8.7 EPSS: 0.00401% (0.59549 Percentile) EPSS:
Permalink JSON

Apache Airflow vulnerable to CSRF Attacks

Affected Packages Affected Versions Fixed Versions
pypi:apache-airflow
PURL: pkg:pypi/apache-airflow
< 1.10.3 1.10.3
314 Dependent packages
1,554 Dependent repositories
13,170,658 Downloads last month

Affected Version Ranges

All affected versions

1.8.1, 1.8.2, 1.8.2rc1, 1.9.0, 1.10.0, 1.10.1, 1.10.1b1, 1.10.1rc2, 1.10.2, 1.10.2b2, 1.10.2rc1, 1.10.2rc2, 1.10.2rc3

All unaffected versions

1.10.3, 1.10.3b1, 1.10.3b2, 1.10.3rc1, 1.10.3rc2, 1.10.4, 1.10.4b2, 1.10.4rc1, 1.10.4rc2, 1.10.4rc3, 1.10.4rc4, 1.10.4rc5, 1.10.5, 1.10.5rc1, 1.10.6, 1.10.6rc1, 1.10.6rc2, 1.10.7, 1.10.7rc1, 1.10.7rc2, 1.10.7rc3, 1.10.8, 1.10.8rc1, 1.10.9, 1.10.9rc1, 1.10.10, 1.10.10rc1, 1.10.10rc2, 1.10.10rc3, 1.10.10rc4, 1.10.10rc5, 1.10.11, 1.10.11rc1, 1.10.11rc2, 1.10.12, 1.10.12rc1, 1.10.12rc2, 1.10.12rc3, 1.10.12rc4, 1.10.13, 1.10.13rc1, 1.10.14, 1.10.14rc1, 1.10.14rc2, 1.10.14rc3, 1.10.14rc4, 1.10.15, 1.10.15rc1, 2.0.0, 2.0.0b1, 2.0.0b2, 2.0.0b3, 2.0.0rc1, 2.0.0rc2, 2.0.0rc3, 2.0.1, 2.0.1rc1, 2.0.1rc2, 2.0.2, 2.0.2rc1, 2.1.0, 2.1.0rc1, 2.1.0rc2, 2.1.1, 2.1.1rc1, 2.1.2, 2.1.2rc1, 2.1.3, 2.1.3rc1, 2.1.4, 2.1.4rc1, 2.1.4rc2, 2.2.0, 2.2.0b1, 2.2.0b2, 2.2.0rc1, 2.2.1, 2.2.1rc1, 2.2.1rc2, 2.2.2, 2.2.2rc1, 2.2.2rc2, 2.2.3, 2.2.3rc1, 2.2.3rc2, 2.2.4, 2.2.4rc1, 2.2.5, 2.2.5rc1, 2.2.5rc2, 2.2.5rc3, 2.3.0, 2.3.0b1, 2.3.0rc1, 2.3.0rc2, 2.3.1, 2.3.1rc1, 2.3.2, 2.3.2rc1, 2.3.2rc2, 2.3.3, 2.3.3rc1, 2.3.3rc2, 2.3.3rc3, 2.3.4, 2.3.4rc1, 2.4.0, 2.4.0b1, 2.4.0rc1, 2.4.1, 2.4.1rc1, 2.4.2, 2.4.2rc1, 2.4.3, 2.4.3rc1, 2.5.0, 2.5.0rc1, 2.5.0rc2, 2.5.0rc3, 2.5.1, 2.5.1rc1, 2.5.1rc2, 2.5.2, 2.5.2rc1, 2.5.2rc2, 2.5.3, 2.5.3rc1, 2.5.3rc2, 2.6.0, 2.6.0b1, 2.6.0rc1, 2.6.0rc2, 2.6.0rc3, 2.6.0rc4, 2.6.0rc5, 2.6.1, 2.6.1rc1, 2.6.1rc2, 2.6.1rc3, 2.6.2, 2.6.2rc1, 2.6.2rc2, 2.6.3, 2.6.3rc1, 2.7.0, 2.7.0b1, 2.7.0rc1, 2.7.0rc2, 2.7.1, 2.7.1rc1, 2.7.1rc2, 2.7.2, 2.7.2rc1, 2.7.3, 2.7.3rc1, 2.8.0, 2.8.0b1, 2.8.0rc1, 2.8.0rc2, 2.8.0rc3, 2.8.0rc4, 2.8.1, 2.8.1rc1, 2.8.2, 2.8.2rc1, 2.8.2rc2, 2.8.2rc3, 2.8.3, 2.8.3rc1, 2.8.4, 2.8.4rc1, 2.9.0, 2.9.0b1, 2.9.0b2, 2.9.0rc1, 2.9.0rc2, 2.9.0rc3, 2.9.1, 2.9.1rc1, 2.9.1rc2, 2.9.2, 2.9.2rc1, 2.9.3, 2.9.3rc1, 2.10.0, 2.10.0b1, 2.10.0b2, 2.10.0rc1, 2.10.1, 2.10.1rc1, 2.10.2, 2.10.2rc1, 2.10.3, 2.10.3rc1, 2.10.3rc2, 2.10.4, 2.10.4rc1, 2.10.5, 2.10.5rc1, 2.11.0, 2.11.0rc1, 3.0.0, 3.0.0b4, 3.0.0rc1, 3.0.0rc1.post1, 3.0.0rc1.post2, 3.0.0rc1.post3, 3.0.0rc1.post4, 3.0.0rc2, 3.0.0rc3, 3.0.0rc4, 3.0.1, 3.0.1a1, 3.0.1a2, 3.0.1rc1, 3.0.2, 3.0.2rc1, 3.0.2rc2, 3.0.3, 3.0.3rc1, 3.0.3rc2, 3.0.3rc3, 3.0.3rc4, 3.0.3rc5, 3.0.3rc6, 3.0.4, 3.0.4rc1, 3.0.4rc2, 3.0.5, 3.0.5rc1, 3.0.5rc2, 3.0.5rc3, 3.0.6, 3.0.6rc1, 3.0.6rc2, 3.1.0, 3.1.0b1, 3.1.0b2, 3.1.0rc1, 3.1.0rc2, 3.1.1, 3.1.1rc1, 3.1.1rc2, 3.1.2rc1

A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.

References:

Identifiers

GHSA-w6j4-3gh2-9f5j

CVE-2019-0229

Risk

Severity

High

CVSS

CVSS Score: 8.7

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00401

EPSS Percentile: 0.59549

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 6 years ago

Updated

about 1 year ago

API

JSON