Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-07-17T07:54:24.338Z

Updated: 2024-08-02T04:33:10.827Z

Reserved: 2024-07-01T16:18:42.845Z

Link: CVE-2024-39877

cve-icon Vulnrichment

Updated: 2024-08-02T04:33:10.827Z

cve-icon NVD

Status : Modified

Published: 2024-07-17T08:15:02.073

Modified: 2024-08-01T13:56:00.307

Link: CVE-2024-39877

cve-icon Redhat

No data.