Execution with Unnecessary Privileges
CVE-2024-45034
Summary
Apache Airflow versions prior to 2.10.1rc1 contain a vulnerability that allows DAG authors to add local settings to the DAG folder, which can then be executed by the scheduler. This is a security concern as the scheduler is not intended to execute code submitted by the DAG author.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- NONE
CWE-250 - Execution with Unnecessary Privileges
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
References
Advisory Timeline
- Published