PT-2024-31664 · Apache · Apache Airflow
Amogh Desai
+2
·
Published
2024-09-06
·
Updated
2024-12-07
·
CVE-2024-45498
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Apache Airflow version 2.10.0
Description:
The issue allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. This is related to the example DAG
example inlet event extra.py shipped with Apache Airflow. It is recommended to review DAGs based on this example and to avoid exposing example DAGs in deployments.Recommendations:
For Apache Airflow version 2.10.0, upgrade to version 2.10.1 or later to resolve the issue. If you must expose the example DAGs, consider upgrading as the primary mitigation measure. As a temporary workaround, consider restricting access to the example DAGs until the issue is resolved.
Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow