CVE-2019-12400
Stored XSS vulnerability in xmlsec (Maven)
What is CVE-2019-12400 About?
This vulnerability is a stored XSS (Cross-Site Scripting) flaw in Apache Airflow versions 2.6.0 through 2.7.3. It allows a DAG author to inject unsanitized JavaScript into the parameter description field of a DAG. This injected script can be executed in the browser of any user viewing the DAG details, potentially leading to client-side attacks.
Affected Software
Technical Details
Apache Airflow, in the specified versions, fails to properly sanitize user-supplied input in the parameter description field for DAGs. A malicious DAG author can embed arbitrary, unsanitized JavaScript code within this field. When another user, typically an administrator or another DAG viewer, navigates to the DAG details page in their web browser, the injected JavaScript code is retrieved from the backend (making it 'stored') and rendered directly into the HTML document. The victim's browser then executes this script within their security context, allowing the attacker to perform actions like modifying the displayed content, stealing session cookies, or redirecting the user, all within the constraints of the browser sandbox.
What is the Impact of CVE-2019-12400?
Successful exploitation may allow attackers to execute arbitrary client-side scripts, leading to defacement of the web UI, session hijacking, phishing attacks, disclosure of sensitive information accessible to the browser, or manipulation of the user's view.
What is the Exploitability of CVE-2019-12400?
Exploitation of this stored XSS vulnerability is moderately complex. It requires the attacker to be an authenticated DAG author with privileges to create or modify DAGs and their parameter descriptions. No specific authentication bypass is involved, as the attacker leverages their existing access. While server-side data manipulation beyond the DAG author's existing permissions is not possible, the impact is on other users' client-side environments. This is a remote exploitation scenario, targeting other legitimate users viewing the crafted DAG. The special condition is that a victim must view the malicious DAG's details for the script to execute. The likelihood of exploitation increases in environments where multiple users with different privilege levels interact with DAGs, making it easier for a trusted DAG author to mislead or compromise less privileged users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-12400?
Available Upgrade Options
- org.apache.santuario:xmlsec
- >2.0.3, <2.1.4 → Upgrade to 2.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-4q98-wr72-h35w
- https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce@%3Cdev.santuario.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0806
- https://lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402@%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190910-0003
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20190910-0003/
- https://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c@%3Cdev.santuario.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-12400?
Similar Vulnerabilities: CVE-2022-26270 , CVE-2021-39226 , CVE-2020-25212 , CVE-2015-7729 , CVE-2014-0453
