BIT-airflow-2024-45498

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2024-45498.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-airflow-2024-45498

Aliases

Published

2024-09-10T07:04:05.933Z

Modified

2025-05-20T10:02:07.006Z

Summary

Apache Airflow: Command Injection in an example DAG

Details

Example DAG: exampleinletevent_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:apache:airflow:*:*:*:*:*:python:*:*"
    ]
}

References

Affected packages

Bitnami / airflow

Package

Name: airflow
Purl: pkg:bitnami/airflow

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

2.10.0

Fixed

2.10.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2024-45498.json"