CVE-2024-45034

Apache Airflow versions before 2.10.1 have a vulnerability that allowsDAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. 
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
VendorProductVersion
apacheairflow
𝑥
< 2.10.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/apache/airflow/pull/41672
https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
http://www.openwall.com/lists/oss-security/2024/09/06/3