CVE-2024-39877

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-39877

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39877.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39877

Aliases

Related

CGA-7mq4-p53v-jcm2

Published

2024-07-17T08:15:02.073Z

Modified

2026-02-14T23:54:24.800105Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type: GIT
Repo: https://github.com/apache/airflow
Events: Introduced

a0303486de970cc654bc12b62c8bee6a25e3382e

Fixed

cdf5d1e1b17b6269e8a5dc95aad4fbe344c05b9b

Affected versions

providers-amazon/9.*

providers-amazon/9.22.0rc1

providers-apache-cassandra/3.*

providers-apache-cassandra/3.9.2

providers-apache-cassandra/3.9.2rc1

providers-apache-hive/9.*

providers-apache-hive/9.2.5

providers-apache-hive/9.2.5rc1

providers-apache-kafka/1.*

providers-apache-kafka/1.12.0

providers-apache-kafka/1.12.0rc1

providers-celery/3.*

providers-celery/3.16.0

providers-celery/3.16.0rc1

providers-cncf-kubernetes/10.*

providers-cncf-kubernetes/10.12.4

providers-cncf-kubernetes/10.12.4rc1

providers-common-compat/1.*

providers-common-compat/1.13.1

providers-common-compat/1.13.1rc1

providers-common-sql/1.*

providers-common-sql/1.31.0

providers-common-sql/1.31.0rc1

providers-databricks/7.*

providers-databricks/7.9.1

providers-databricks/7.9.1rc1

providers-edge3/3.*

providers-edge3/3.0.2

providers-edge3/3.0.2rc1

providers-exasol/4.*

providers-exasol/4.9.3

providers-exasol/4.9.3rc1

providers-fab/3.*

providers-fab/3.3.0

providers-fab/3.3.0rc1

providers-git/0.*

providers-git/0.2.3

providers-git/0.2.3rc1

providers-github/2.*

providers-github/2.11.0

providers-github/2.11.0rc1

providers-google/20.*

providers-google/20.0.0rc1

providers-hashicorp/4.*

providers-hashicorp/4.5.0

providers-hashicorp/4.5.0rc1

providers-imap/3.*

providers-imap/3.11.0

providers-imap/3.11.0rc1

providers-keycloak/0.*

providers-keycloak/0.5.2

providers-keycloak/0.5.2rc1

providers-microsoft-azure/13.*

providers-microsoft-azure/13.0.0rc1

providers-mysql/6.*

providers-mysql/6.4.3

providers-mysql/6.4.3rc1

providers-openlineage/2.*

providers-openlineage/2.10.2

providers-openlineage/2.10.2rc1

providers-oracle/4.*

providers-oracle/4.4.0

providers-oracle/4.4.0rc1

providers-postgres/6.*

providers-postgres/6.5.4

providers-postgres/6.5.4rc1

providers-snowflake/6.*

providers-snowflake/6.9.1

providers-snowflake/6.9.1rc1

providers-standard/1.*

providers-standard/1.11.1

providers-standard/1.11.1rc1

providers-tableau/5.*

providers-tableau/5.3.3

providers-tableau/5.3.3rc1

providers-teradata/3.*

providers-teradata/3.4.3

providers-teradata/3.4.3rc1

providers-yandex/4.*

providers-yandex/4.4.0

providers-yandex/4.4.0rc1

providers-ydb/2.*

providers-ydb/2.4.0

providers-ydb/2.4.0rc1

Other

providers/2026-02-10

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39877.json"