{"id":"PYSEC-2019-216","details":"A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.","aliases":["CVE-2019-12417","GHSA-q3p4-gw7r-wqjc"],"modified":"2023-11-08T04:01:04.905541Z","published":"2019-10-30T22:15:00Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@%3Cusers.airflow.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-q3p4-gw7r-wqjc"}],"affected":[{"package":{"name":"apache-airflow","ecosystem":"PyPI","purl":"pkg:pypi/apache-airflow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.6rc1"}]}],"versions":["1.10.0","1.10.1","1.10.1b1","1.10.1rc2","1.10.2","1.10.2b2","1.10.2rc1","1.10.2rc2","1.10.2rc3","1.10.3","1.10.3b1","1.10.3b2","1.10.3rc1","1.10.3rc2","1.10.4","1.10.4b2","1.10.4rc1","1.10.4rc2","1.10.4rc3","1.10.4rc4","1.10.4rc5","1.10.5","1.10.5rc1","1.8.1","1.8.2","1.8.2rc1","1.9.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2019-216.yaml"}}],"schema_version":"1.7.3"}