Exfiltration of Credentials via Experimental Airflow Feature in Apache Airflow 1.8.2 and Earlier

Exfiltration of Credentials via Experimental Airflow Feature in Apache Airflow 1.8.2 and Earlier

CVE-2017-17836 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.

Learn more about our Cis Benchmark Audit For Apache Http Server.