{"containers": {"cna": {"affected": [{"product": "Airflow", "vendor": "Apache", "versions": [{"status": "affected", "version": "Apache Airflow <= 1.10.4"}]}], "descriptions": [{"lang": "en", "value": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected."}], "problemTypes": [{"descriptions": [{"description": "Stored XSS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-14T16:28:56", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[airflow-dev] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cdev.airflow.apache.org%3E"}, {"name": "[oss-security] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/01/14/2"}, {"name": "[airflow-users] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-12398", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Airflow", "version": {"version_data": [{"version_value": "Apache Airflow <= 1.10.4"}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stored XSS"}]}]}, "references": {"reference_data": [{"name": "[airflow-dev] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b@%3Cdev.airflow.apache.org%3E"}, {"name": "[oss-security] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/01/14/2"}, {"name": "[airflow-users] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:17:40.125Z"}, "title": "CVE Program Container", "references": [{"name": "[airflow-dev] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cdev.airflow.apache.org%3E"}, {"name": "[oss-security] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/01/14/2"}, {"name": "[airflow-users] 20200114 [CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-12398", "datePublished": "2020-01-14T16:28:35", "dateReserved": "2019-05-28T00:00:00", "dateUpdated": "2024-08-04T23:17:40.125Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "5497B08A-0162-4CC2-A993-CE092FD2D7C8", "versionEndExcluding": "1.10.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected."}, {"lang": "es", "value": "En Apache Airflow versiones anteriores a 1.10.5, cuando se ejecuta con la interfaz de usuario \"clasic\", un usuario administrador malicioso pod\u00eda editar el estado de los objetos en la base de datos de metadatos de Airflow para ejecutar javascript arbitrario en determinadas vistas de p\u00e1gina. La nueva Interfaz de Usuario \"RBAC\" no est\u00e1 afectada."}], "id": "CVE-2019-12398", "lastModified": "2024-11-21T04:22:45.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-14T17:15:13.050", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/01/14/2"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cdev.airflow.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/01/14/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cdev.airflow.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r72487ad6b23d18689896962782f8c93032afe5c72a6bfd23b253352b%40%3Cusers.airflow.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}