CVE-2019-0229: Apache Airflow vulnerable to CSRF Attacks
8.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
apache-airflow | pip | < 1.10.3 | 1.10.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided information describes CSRF vulnerabilities in multiple HTTP endpoints of Apache Airflow's webserver components (both RBAC and classic), but does not explicitly identify specific function names
or file paths
. While the vulnerability root cause is clearly missing CSRF protections (CWE-352), the advisory materials lack commit diffs, patch details, or specific endpoint references needed to pinpoint exact vulnerable functions
. The Airflow webserver uses Flask
-based handlers (for classic UI) and Flask-AppBuilder
views (for RBAC), but without seeing the security improvements made in 1.10.3
, we cannot definitively identify which view functions
lacked @csrf.exempt
decorators or CSRF token validation checks. High confidence function
identification requires examining the patched security implementations, which are not provided in the available resources.