CVE-2024-45034

Published: Sep 7, 2024Modified: Jun 3, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.

Affected (1)

Products: Apache: Airflow

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Airflow	Before 2.10.1

Related CWEs

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

References (3)

https://github.com/apache/airflow/pull/41672

Source: security@apache.org

Issue Tracking

https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2024/09/06/3

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

Timeline

No history available yet.