Skip to main content

Execution with Unnecessary Privileges

CVE-2024-45034

Severity High
Score 8.1/10

Summary

Apache Airflow versions prior to 2.10.1rc1 contain a vulnerability that allows DAG authors to add local settings to the DAG folder, which can then be executed by the scheduler. This is a security concern as the scheduler is not intended to execute code submitted by the DAG author.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-250 - Execution with Unnecessary Privileges

The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Advisory Timeline

  • Published