CVE-2024-45498

EPSS 1.63%
Veröffentlicht 07.09.2024 08:15:11
Zuletzt bearbeitet 03.06.2025 21:12:43
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: Command Injection in an example DAG

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see  https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version2.10.0 Update-

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.63%	0.816

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://github.com/apache/airflow/pull/41873

Issue Tracking

https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/09/06/2

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-45498

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45498

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45498

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-45498