Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 04 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache airflow |
|
CPEs | cpe:2.3:a:apache:airflow:2.10.0:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache airflow |
|
References |
|
|
Metrics |
cvssV3_1
|
Mon, 09 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Sat, 07 Sep 2024 08:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later. | |
Title | Apache Airflow: Command Injection in an example DAG | |
Weaknesses | CWE-116 | |
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-09-07T07:43:43.899Z
Updated: 2024-11-04T16:24:53.972Z
Reserved: 2024-08-30T12:52:06.199Z
Link: CVE-2024-45498
Vulnrichment
Updated: 2024-09-07T08:03:14.894Z
NVD
Status : Awaiting Analysis
Published: 2024-09-07T08:15:11.407
Modified: 2024-11-21T09:37:51.613
Link: CVE-2024-45498
Redhat
No data.