CVE-2024-45034
Apache Airflow vulnerable to Execution with Unnecessary Privileges
8.8
HIGH
CVSS 3.1
EPSS 3.1%
Description
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
How to fix CVE-2024-45034
To remediate CVE-2024-45034, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.1 or later
- —upgrade to 2.10.1 or later
- —upgrade to 2.10.1 or later
Is CVE-2024-45034 being exploited?
Low — EPSS is 3.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.10.1
- from 0, < 2.10.1
- from 0, < 2.10.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |