<p>Upgrade <code>luigi</code> to version 2.8.0 or higher.</p>

Cross-site Request Forgery (CSRF) Affecting luigi package, versions [2.3.3,2.8.0)

Snyk CVSS

Attack Complexity Low

User Interaction Required

Confidentiality High

Threat Intelligence

EPSS 0.16% (53^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-LUIGI-72726
published 24 Dec 2018
disclosed 20 Dec 2018
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 20 Dec 2018

CVE-2018-1000843 Open this link in a new tab CWE-352 Open this link in a new tab

How to fix?

Upgrade luigi to version 2.8.0 or higher.

Overview

luigi is a package that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization, handling failures, command line integration, and much more.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via API endpoint: /api/ that can expose task metadata such as task name, id, parameter, etc to an unauthorized users. This attack can be exploited only when the victim visits a specially crafted webpage from the network where their Luigi server is accessible.