Arbitrary Code Execution Vulnerability in Apache Airflow

Summary

The CVE-2024-39877 vulnerability in Apache Airflow allows authenticated DAG authors to execute arbitrary code in the scheduler context, which is against the Airflow Security model. The affected versions are Apache-airflow 2.4.0 and versions before 2.9.3. Users are advised to upgrade to version 2.9.3 or later to remove the vulnerability. Additionally, Apache CloudStack has a vulnerability (CVE-2024-41107) that allows attackers to bypass authentication with a forged SAML response in versions 4.5.0 to 4.18.2.1 and 4.19.0.0 to 4.19.0.2. Vulnerability patches have been made available in the latest update, and users are encouraged to update to the latest version to address these vulnerabilities. No known exploits by ransomware groups have been reported for these vulnerabilities.

News Articles

ASEC – AhnLab

CVE-2024-39877CVE-2024-41107

Apache Product Security Update Advisory (CVE-2024-39877, CVE-2024-41107)

OverviewApache has released updates to fix vulnerabilities in their products. Users of affected versions are advised to update to the latest version.Affected ProductsCVE-2024-39877Apache-airflow version: 2.4.0Apache-airflow version: ~ 2.9.3 (excluded) CVE-2024-41107Apache CloudStack versions: 4.5.0 ...

5 months ago

References