CVE-2017-17836

CRITICAL

Apache Airflow < 1.8.2 - Authenticated Credential Exposure via Experimental Feature

Title source: llm

Description

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.

References (1)

Core 1

Core References

Mailing List x_refsource_misc

https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57%40%3Cdev.airflow.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0044

EPSS Percentile 63.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-255

Status published

Products (2)

apache/airflow < 1.8.2

pypi/apache-airflow 0 - 1.9.0PyPI

Published Jan 23, 2019

Tracked Since Feb 18, 2026