{"id":"CVE-2017-15720","details":"In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.","aliases":["GHSA-8fg4-j562-mjrc","PYSEC-2019-147"],"modified":"2026-05-07T21:10:32.349027Z","published":"2019-01-23T17:29:00.257Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57%40%3Cdev.airflow.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/airflow","events":[{"introduced":"0"},{"last_affected":"0eb7862730c68d25ebbabf1988d66d50dd988bb0"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.8.2"}],"cpe":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"}}],"versions":["0.1","0.11","0.2","0.2.1","0.2.2","0.2.3","0.3","0.3.1","0.3.2","0.4","0.4.1","0.4.2","0.4.3","0.4.5","0.5.0","1.0.1","1.1.0","1.1.1","1.2.0","1.3.0","1.4.0","1.5.0","1.5.1","1.6.0","1.6.1","1.7.0rc1","1.7.1rc1","1.8.2","1.8.2rc1","1.8.2rc2","1.8.2rc3","1.8.2rc4","airbnb_1.7.1rc1","airbnb_1.7.1rc10","airbnb_1.7.1rc3","airbnb_prod.1.6.1.0","airbnb_prod.1.6.1.1","airbnb_prod.1.6.1.2","airbnb_prod.1.6.1.3","airbnb_prod.1.6.1.4","airbnb_prod.1.6.1.5","airbnb_prod.1.6.2.4","airbnb_prod.1.6.2.5","airbnb_prod.1.6.2.7","airbnb_prod.1.6.2.8","airbnb_prod.1.6.2.9","v1.8.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-15720.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}