BIT-airflow-2024-45498

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2024-45498.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-airflow-2024-45498
Aliases
Published
2024-09-10T07:04:05.933Z
Modified
2024-11-27T19:40:48.342Z
Summary
[none]
Details

Example DAG: exampleinletevent_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Database specific
{
    "cpes": [
        "cpe:2.3:a:apache:airflow:*:*:*:*:*:python:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / airflow

Package

Name
airflow
Purl
pkg:bitnami/airflow

Severity

  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2.10.0
Fixed
2.10.1