CVE-2024-56373

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.11.1

Description A user with DAG author permissions can manipulate the Airflow database to execute arbitrary code within the web server context. This could lead to remote code execution on the server-side when a user views historical task information. The functionality responsible for this issue, log template history, is disabled by default in version 2.11.1. The issue involves Server-Side Template Injection (SSTI) through shared database information.

Recommendations Upgrade to Airflow version 2.11.1 or later. If you require log template history, upgrade to Airflow 3. Manually modify historical log file names if you need to view logs generated before the last log template change.