CVE-2024-45498

Опубликовано: 07 сент. 2024

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Ссылки

https://github.com/apache/airflow/pull/41873
Issue Tracking
https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/09/06/2
Mailing List

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:airflow:2.10.0:-:*:*:*:*:*:*

EPSS

Процентиль: 81%

0.01625

Низкий

8.8 High

CVSS3

Дефекты

CWE-116

Связанные уязвимости

CVE-2024-45498

CVSS3: 8.8

debian

больше 1 года назад

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow ...

GHSA-c392-whpc-vfpr

CVSS3: 8.8

github

больше 1 года назад

Apache Airflow vulnerable to Improper Encoding or Escaping of Output

EPSS

Процентиль: 81%

0.01625

Низкий

8.8 High

CVSS3

Дефекты

CWE-116