Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
History

Mon, 04 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
CPEs cpe:2.3:a:apache:airflow:2.10.0:*:*:*:*:*:*:*
Vendors & Products Apache
Apache airflow
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 09 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
References

Sat, 07 Sep 2024 08:00:00 +0000

Type Values Removed Values Added
Description Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
Title Apache Airflow: Command Injection in an example DAG
Weaknesses CWE-116
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-09-07T07:43:43.899Z

Updated: 2024-11-04T16:24:53.972Z

Reserved: 2024-08-30T12:52:06.199Z

Link: CVE-2024-45498

cve-icon Vulnrichment

Updated: 2024-09-07T08:03:14.894Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-07T08:15:11.407

Modified: 2024-11-04T17:35:22.900

Link: CVE-2024-45498

cve-icon Redhat

No data.