Apache Airflow has DAG Author Code Execution possibility in airflow-scheduler

GHSA-g5hv-r743-v8pm · BIT-airflow-2024-39877 · CVE-2024-39877 · PYSEC-2024-190

Published Jul 17, 2024 · Modified Feb 4, 2026

Description

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-39877
WEB https://github.com/apache/airflow/pull/40522
WEB https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml
WEB https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
WEB http://www.openwall.com/lists/oss-security/2024/07/16/7

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes