Airflow 2.9.0 Vulnerability: Malicious Log Injection Risk
CVE-2024-32077

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 14 May 2024

Summary

Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.

Affected Version(s)

Apache Airflow 2.9.0 < 2.9.1

References

https://github.com/apache/airflow/pull/38882

patch

https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcy...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Apr 10, 2024

Credit

Ming

Jens Scheffler