CVE-2024-45034

CWE-2505 documents4 sources

Severity

8.8HIGH

EPSS

3.1%

top 13.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedSep 7

Description

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/airflow< 2.10.1

▶PyPIapache-airflow< 2.10.1

▶CVEListV5apache_software_foundation/apache_airflow< 2.10.1

🔴Vulnerability Details

OSV

CVE-2024-45034: Apache Airflow versions before 2↗2024-09-07

▶

GHSA

Apache Airflow vulnerable to Execution with Unnecessary Privileges↗2024-09-07

▶

CVEList

Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes↗2024-09-07

▶

OSV

Apache Airflow vulnerable to Execution with Unnecessary Privileges↗2024-09-07

▶