Apache Airflow 2.10.0 Example DAG RCE via Authenticated Trigger - Fixed 2.10.1
CVE-2024-45498 Published on September 7, 2024
Apache Airflow: Command Injection in an example DAG
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
Vulnerability Analysis
CVE-2024-45498 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2024-45498 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2024-45498
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-45498 are published in Apache AirFlow:
Affected Versions
Apache Software Foundation Apache Airflow:- Version 2.10.0 is affected.
- Version 2.10.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.