CGA-h5gv-qmmr-9r2w

Published

Last updated

https://images.chainguard.dev/security/CGA-h5gv-qmmr-9r2w

Package

airflow

Latest Update

Fixed

Fixed Version

2.9.3-r0

Aliases

CVE-2024-39877
GHSA-g5hv-r743-v8pm

Severity

8.8

High

CVSS V3

Summary

Apache Airflow has DAG Author Code Execution possibility in airflow-scheduler

Description

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39877
https://github.com/advisories/GHSA-g5hv-r743-v8pm
https://github.com/apache/airflow/pull/40522
https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531
https://github.com/apache/airflow
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml
https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
http://www.openwall.com/lists/oss-security/2024/07/16/7

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-h5gv-qmmr-9r2w

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources