CVE-2024-45498

EPSS 1.47%
Published 07.09.2024 08:15:11
Last modified 03.06.2025 21:12:43
Source security@apache.org
Teams watchlist Login
Open Login

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see  https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Airflow Version2.10.0 Update-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.47%	0.803

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://github.com/apache/airflow/pull/41873

Issue Tracking

https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/09/06/2

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-45498

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45498

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45498

EUVD