CVE-2024-39877 Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler

2024-07-1707:54:24

CWE-94

apache

www.cve.org

apache airflow

authenticated

dag author

code execution

cve-2024-39877

vulnerability

upgrade

EPSS

0.001

Percentile

40.9%

JSON

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

CNA Affected

[
  {
    "collectionURL": "https://pypi.python.org",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow",
    "product": "Apache Airflow",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.9.3",
        "status": "affected",
        "version": "2.4.0",
        "versionType": "semver"
      }
    ]
  }
]