CVE-2024-45498

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:2.10.0:-:*:*:*:*:*:*

History

03 Jun 2025, 21:12

Type Values Removed Values Added
References () https://github.com/apache/airflow/pull/41873 - () https://github.com/apache/airflow/pull/41873 - Issue Tracking
References () https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n - () https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2024/09/06/2 - () http://www.openwall.com/lists/oss-security/2024/09/06/2 - Mailing List
First Time Apache
Apache airflow
CPE cpe:2.3:a:apache:airflow:2.10.0:-:*:*:*:*:*:*

21 Nov 2024, 09:37

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/09/06/2 -

04 Nov 2024, 17:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

09 Sep 2024, 13:03

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-07 08:15

Updated : 2025-06-03 21:12


NVD link : CVE-2024-45498

Mitre link : CVE-2024-45498

CVE.ORG link : CVE-2024-45498


JSON object : View

Products Affected

apache

  • airflow
CWE
CWE-116

Improper Encoding or Escaping of Output