Arbitrary Code Execution Vulnerability in Apache Airflow

CVE-2024-39877

8.8HIGH

Key Information

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 17 July 2024

Badges

📰 News Worthy

Summary

The CVE-2024-39877 vulnerability in Apache Airflow allows authenticated DAG authors to execute arbitrary code in the scheduler context, which is against the Airflow Security model. The affected versions are Apache-airflow 2.4.0 and versions before 2.9.3. Users are advised to upgrade to version 2.9.3 or later to remove the vulnerability. Additionally, Apache CloudStack has a vulnerability (CVE-2024-41107) that allows attackers to bypass authentication with a forged SAML response in versions 4.5.0 to 4.18.2.1 and 4.19.0.0 to 4.19.0.2. Vulnerability patches have been made available in the latest update, and users are encouraged to update to the latest version to address these vulnerabilities. No known exploits by ransomware groups have been reported for these vulnerabilities.

Affected Version(s)

Apache Airflow < 2.9.3

News Articles

ASEC – AhnLab

CVE-2024-39877CVE-2024-41107

Apache Product Security Update Advisory (CVE-2024-39877, CVE-2024-41107)

OverviewApache has released updates to fix vulnerabilities in their products. Users of affected versions are advised to update to the latest version.Affected ProductsCVE-2024-39877Apache-airflow version: 2.4.0Apache-airflow version: ~ 2.9.3 (excluded) CVE-2024-41107Apache CloudStack versions: 4.5.0 ...

4 months ago

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

First article discovered by ASEC – AhnLab
Jul 25, 2024
Vulnerability published.
Jul 17, 2024
Vulnerability Reserved.
Jul 1, 2024

Collectors

NVD DatabaseMitre Database1 News Article(s)

Credit

Seokchan Yoon (https://github.com/ch4n3-yoon)

Wei Lee