Main Vulnerability Database Vulnerabilities #VU96967

Permissions, Privileges, and Access Controls in Apache Airflow - CVE-2024-45034

Published: September 10, 2024

Vulnerability identifier: #VU96967

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-45034

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Airflow

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to the application allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler. A remote user can compromise the affected system.

How to mitigate CVE-2024-45034

Install updates from vendor's website.

Sources

https://github.com/apache/airflow/pull/41672
https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx

Permissions, Privileges, and Access Controls in Apache Airflow - CVE-2024-45034

Detailed vulnerability description

How to mitigate CVE-2024-45034

Sources

Please verify you're human