CVE-2024-39877
HIGHApache Airflow 2.4.0-2.9.2 - Authenticated Remote Code Execution via doc_md Parameter
Title source: llmDescription
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
References (3)
Core 3
Core References
Issue Tracking, Patch patch
https://github.com/apache/airflow/pull/40522
Mailing List vendor-advisory
https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
Scores
CVSS v3
8.8
EPSS
0.0173
EPSS Percentile
74.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-277
CWE-94
Status
published
Products (2)
apache/airflow
2.4.0 - 2.9.3
pypi/apache-airflow
2.4.0 - 2.9.3PyPI
Published
Jul 17, 2024
Tracked Since
Feb 18, 2026