VYPR
High severityNVD Advisory· Published Sep 7, 2024· Updated Nov 4, 2024

Apache Airflow: Command Injection in an example DAG

CVE-2024-45498

Description

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apache-airflowPyPI
>= 2.10.0, < 2.10.12.10.1

Affected products

9

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.