CVE-2024-45498

EPSS 1.47%
Veröffentlicht 07.09.2024 08:15:11
Zuletzt bearbeitet 03.06.2025 21:12:43
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see  https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version2.10.0 Update-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.47%	0.803

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://github.com/apache/airflow/pull/41873

Issue Tracking

https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/09/06/2

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-45498

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45498

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45498

EUVD