Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
References
Link | Resource |
---|---|
https://github.com/apache/airflow/pull/41873 | Issue Tracking |
https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n | Mailing List Vendor Advisory |
http://www.openwall.com/lists/oss-security/2024/09/06/2 | Mailing List |
Configurations
History
03 Jun 2025, 21:12
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/apache/airflow/pull/41873 - Issue Tracking | |
References | () https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n - Mailing List, Vendor Advisory | |
References | () http://www.openwall.com/lists/oss-security/2024/09/06/2 - Mailing List | |
First Time |
Apache
Apache airflow |
|
CPE | cpe:2.3:a:apache:airflow:2.10.0:-:*:*:*:*:*:* |
21 Nov 2024, 09:37
Type | Values Removed | Values Added |
---|---|---|
References |
|
04 Nov 2024, 17:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
09 Sep 2024, 13:03
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-07 08:15
Updated : 2025-06-03 21:12
NVD link : CVE-2024-45498
Mitre link : CVE-2024-45498
CVE.ORG link : CVE-2024-45498
JSON object : View
Products Affected
apache
- airflow
CWE
CWE-116
Improper Encoding or Escaping of Output