====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN368
_____________________________________________________________________

DATE                : 12/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                     to 2.10.1.

=====================================================================
https://lists.apache.org/thread/tl7lzczcqdmqj2pcpbvtjdpd2tb9561n
https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
_____________________________________________________________________

CVE-2024-45498: Apache Airflow: Command Injection in an example DAG


Severity: low

Affected versions:

- Apache Airflow 2.10.0

Description:

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow
version 2.10.0 has a vulnerability that allows an authenticated
attacker with only DAG trigger permission to execute arbitrary
commands. If you used that example as the base of your DAGs - please
review if you have not copied the dangerous example; see
https://github.com/apache/airflow/pull/41873  for more information.
We recommend against exposing the example DAGs in your deployment.
If you must expose the example DAGs, upgrade Airflow to version
2.10.1 or later.


Credit:

Nhien Pham (aka nhienit) at Galaxy One (finder)
Amogh Desai (remediation developer)


References:

https://github.com/apache/airflow/pull/41873
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45498

_____________________________________________________________________

CVE-2024-45034: Apache Airflow: Authenticated DAG authors could
execute code on scheduler nodes
Severity: important

Affected versions:

- Apache Airflow before 2.10.1

Description:

Apache Airflow versions before 2.10.1 have a vulnerability that allows
DAG authors to add local settings to the DAG folder and get it
executed by the scheduler, where the scheduler is not supposed to
execute code submitted by the DAG author.
Users are advised to upgrade to version 2.10.1 or later, which has
fixed the vulnerability.


Credit:

Seokchan Yoon: https://github.com/ch4n3-yoon (finder)
Amogh Desai (remediation developer)


References:

https://github.com/apache/airflow/pull/41672
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45034


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================