Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
References
Link | Resource |
---|---|
https://github.com/apache/airflow/pull/40522 | Issue Tracking Patch |
https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1 | Mailing List |
Configurations
History
01 Aug 2024, 13:56
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-277 |
19 Jul 2024, 16:04
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
Summary |
|
|
First Time |
Apache
Apache airflow |
|
References | () https://github.com/apache/airflow/pull/40522 - Issue Tracking, Patch | |
References | () https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1 - Mailing List | |
CPE | cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* |
17 Jul 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-17 08:15
Updated : 2024-08-01 13:56
NVD link : CVE-2024-39877
Mitre link : CVE-2024-39877
CVE.ORG link : CVE-2024-39877
JSON object : View
Products Affected
apache
- airflow