Today > vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-45498

Sept. 9, 2024, 1:03 p.m.

Tags

security@apache.org
CWE-116
2024-09-07
CVE-2024-45498

Product(s) Impacted

Apache Airflow

  • 2.10.0

Description

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Weaknesses

CWE-116
Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE ID: 116

Date

Published: Sept. 7, 2024, 8:15 a.m.

Last Modified: Sept. 9, 2024, 1:03 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

References

https://github.com/ security@apache.org
https://lists.apache.org/ security@apache.org