#VU96967 Permissions, Privileges, and Access Controls in Apache Airflow - CVE-2024-45034

Cybersecurity Help s.r.o.

Published: 2024-09-10

Vulnerability identifier: #VU96967

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-45034

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Airflow
Web applications / Modules and components for CMS

Vendor: Apache Foundation

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to the application allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler. A remote user can compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Airflow: 2.0.0 - 2.10.0

External links
https://github.com/apache/airflow/pull/41672
https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Airflow