Miggo Logo

CVE-2019-0229: Apache Airflow vulnerable to CSRF Attacks

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.5994%
Published
4/18/2019
Updated
9/12/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflowpip< 1.10.31.10.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information describes CSRF vulnerabilities in multiple HTTP endpoints of Apache Airflow's webserver components (both RBAC and classic), but does not explicitly identify specific function names or file paths. While the vulnerability root cause is clearly missing CSRF protections (CWE-352), the advisory materials lack commit diffs, patch details, or specific endpoint references needed to pinpoint exact vulnerable functions. The Airflow webserver uses Flask-based handlers (for classic UI) and Flask-AppBuilder views (for RBAC), but without seeing the security improvements made in 1.10.3, we cannot definitively identify which view functions lacked @csrf.exempt decorators or CSRF token validation checks. High confidence function identification requires examining the patched security implementations, which are not provided in the available resources.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* num**r o* *TTP *n*points in t** *ir*low w**s*rv*r (*ot* R*** *n* *l*ssi*) *i* not **v* ***qu*t* prot**tion *n* w*r* vuln*r**l* to *ross-sit* r*qu*st *or**ry *tt**ks.

Reasoning

T** provi*** in*orm*tion **s*ri**s *SR* vuln*r**iliti*s in multipl* *TTP *n*points o* *p**** *ir*low's w**s*rv*r *ompon*nts (*ot* R*** *n* *l*ssi*), *ut *o*s not *xpli*itly i**nti*y sp**i*i* `*un*tion n*m*s` or `*il* p*t*s`. W*il* t** vuln*r**ility r