CVE-2024-39877

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 2.4.0 through 2.9.3

Description This vulnerability allows authenticated DAG authors to craft a malicious doc md parameter, potentially leading to arbitrary code execution within the scheduler context. This bypasses Airflow’s security model, which should prevent such actions. The vulnerability stems from a lack of sanitization when processing the doc md parameter, which is used to create descriptions for DAGs (Directed Acyclic Graphs) in the Airflow web interface. When doc md does not have a '.md' extension, Airflow creates a template using jinja2.Template(doc md), resulting in a Server-Side Template Injection (SSTI) condition. Attackers can leverage Python’s introspection capabilities to enumerate classes and execute commands, potentially compromising the system. Exploitation requires the ability to create DAGs on the Airflow server.

Recommendations Upgrade to Apache Airflow version 2.9.3 or later to resolve this issue.