CVE-2024-45034

EUVD-2024-0013
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. 
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
apacheairflow
𝑥
< 2.10.1
apacheairflow
𝑥
< 2.10.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/apache/airflow/pull/41672
https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
http://www.openwall.com/lists/oss-security/2024/09/06/3