There were two vulnerabilities fixed in release of Apache Airflow 1.10.3 affecting the `airflow webserver` service:
CVE-2019-0216: Stored XSS Versions Affected: <= 1.10.2 Description: A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. Credit: Thanks to Nicolas Heiniger ( of photochrome.ch), Matt S, and Francesco Soncina (of ABN AMRO), and "Media Rest" for all independently reporting this vulnerability. CVE-2019-0229: Improper CSRF validation against various endpoints Versions Affected: <= 1.10.2 Description: A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks. Credit: Thanks to Erik Mulder at bol.com for reporting this. (CVE-2019-0216 is similar to CVE-2018-20244 form 1.10.2. We missed some cases of this in the previous fix) Thanks, Ash Apache Airflow PMC member