GHSA-92xg-gmrq-5c3w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-92xg-gmrq-5c3w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-92xg-gmrq-5c3w/GHSA-92xg-gmrq-5c3w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-92xg-gmrq-5c3w
- Aliases
- Published
- 2024-09-07T09:30:31Z
- Modified
- 2024-09-10T08:12:20.026833Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Apache Airflow vulnerable to Execution with Unnecessary Privileges
- Details
-
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
- References
Affected packages
PyPI / apache-airflow
Package
- Name
- apache-airflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.10.1
Affected versions
1.*
1.8.1
1.8.2rc1
1.8.2
1.9.0
1.10.0
1.10.1b1
1.10.1rc2
1.10.1
1.10.2b2
1.10.2rc1
1.10.2rc2
1.10.2rc3
1.10.2
1.10.3b1
1.10.3b2
1.10.3rc1
1.10.3rc2
1.10.3
1.10.4b2
1.10.4rc1
1.10.4rc2
1.10.4rc3
1.10.4rc4
1.10.4rc5
1.10.4
1.10.5rc1
1.10.5
1.10.6rc1
1.10.6rc2
1.10.6
1.10.7rc1
1.10.7rc2
1.10.7rc3
1.10.7
1.10.8rc1
1.10.8
1.10.9rc1
1.10.9
1.10.10rc1
1.10.10rc2
1.10.10rc3
1.10.10rc4
1.10.10rc5
1.10.10
1.10.11rc1
1.10.11rc2
1.10.11
1.10.12rc1
1.10.12rc2
1.10.12rc3
1.10.12rc4
1.10.12
1.10.13rc1
1.10.13
1.10.14rc1
1.10.14rc2
1.10.14rc3
1.10.14rc4
1.10.14
1.10.15rc1
1.10.15
2.*
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0
2.0.1rc1
2.0.1rc2
2.0.1
2.0.2rc1
2.0.2
2.1.0rc1
2.1.0rc2
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2
2.1.3rc1
2.1.3
2.1.4rc1
2.1.4rc2
2.1.4
2.2.0b1
2.2.0b2
2.2.0rc1
2.2.0
2.2.1rc1
2.2.1rc2
2.2.1
2.2.2rc1
2.2.2rc2
2.2.2
2.2.3rc1
2.2.3rc2
2.2.3
2.2.4rc1
2.2.4
2.2.5rc1
2.2.5rc2
2.2.5rc3
2.2.5
2.3.0b1
2.3.0rc1
2.3.0rc2
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2rc2
2.3.2
2.3.3rc1
2.3.3rc2
2.3.3rc3
2.3.3
2.3.4rc1
2.3.4
2.4.0b1
2.4.0rc1
2.4.0
2.4.1rc1
2.4.1
2.4.2rc1
2.4.2
2.4.3rc1
2.4.3
2.5.0rc1
2.5.0rc2
2.5.0rc3
2.5.0
2.5.1rc1
2.5.1rc2
2.5.1
2.5.2rc1
2.5.2rc2
2.5.2
2.5.3rc1
2.5.3rc2
2.5.3
2.6.0b1
2.6.0rc1
2.6.0rc2
2.6.0rc3
2.6.0rc4
2.6.0rc5
2.6.0
2.6.1rc1
2.6.1rc2
2.6.1rc3
2.6.1
2.6.2rc1
2.6.2rc2
2.6.2
2.6.3rc1
2.6.3
2.7.0b1
2.7.0rc1
2.7.0rc2
2.7.0
2.7.1rc1
2.7.1rc2
2.7.1
2.7.2rc1
2.7.2
2.7.3rc1
2.7.3
2.8.0b1
2.8.0rc1
2.8.0rc2
2.8.0rc3
2.8.0rc4
2.8.0
2.8.1rc1
2.8.1
2.8.2rc1
2.8.2rc2
2.8.2rc3
2.8.2
2.8.3rc1
2.8.3
2.8.4rc1
2.8.4
2.9.0b1
2.9.0b2
2.9.0rc1
2.9.0rc2
2.9.0rc3
2.9.0
2.9.1rc1
2.9.1rc2
2.9.1
2.9.2rc1
2.9.2
2.9.3rc1
2.9.3
2.10.0b1
2.10.0b2
2.10.0rc1
2.10.0
2.10.1rc1