oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-45498: Apache Airflow: Command Injection in an example DAG

From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Fri, 06 Sep 2024 16:43:56 +0000
Severity: low

Affected versions:

- Apache Airflow 2.10.0

Description:

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an 
authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the 
base of your DAGs - please review if you have not copied the dangerous example; see  
https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in 
your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Credit:

Nhien Pham (aka nhienit) at Galaxy One (finder)
Amogh Desai (remediation developer)

References:

https://github.com/apache/airflow/pull/41873
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45498
Previous By Date Next
Previous By Thread Next

Current thread: