BIT-airflow-2024-39877
Arbitrary Code Execution vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2024-39877 About?
Apache Airflow before version 2.9.3 is vulnerable to arbitrary code execution by authenticated DAG authors via a crafted `doc_md` parameter. This allows them to execute forbidden code within the scheduler context, potentially compromising the Airflow environment. Exploitation is high, given it targets specific authenticated users.
Affected Software
Technical Details
The vulnerability in Apache Airflow, affecting versions from 2.4.0 up to 2.9.3, allows authenticated DAG authors to achieve arbitrary code execution within the scheduler context. This is possible by crafting a malicious doc_md parameter, which is intended for DAG documentation, in a way that circumvents existing security controls. The core issue is that the doc_md parameter is processed unsafely, permitting the inclusion and execution of code that should be explicitly forbidden by the Airflow Security Model. This could involve server-side template injection or other mechanisms that allow the attacker's code to run with the privileges of the scheduler process, leading to full compromise of the Airflow instance, including data manipulation, system access, or further privilege escalation.
What is the Impact of BIT-airflow-2024-39877?
Successful exploitation may allow attackers to execute arbitrary code, compromise the integrity, confidentiality, and availability of data, escalate privileges, and gain full control over the affected system.
What is the Exploitability of BIT-airflow-2024-39877?
Exploitation of this vulnerability requires an authenticated user who also has DAG authoring privileges. The complexity is moderate, as it involves crafting a specific doc_md parameter to trigger the code execution. Once authenticated with authoring capabilities, the attack can be performed remotely. No special conditions or complex prerequisites beyond the specified user role are needed. The likelihood of exploitation is significantly increased in environments where DAG authors are not fully trusted, or in situations where an attacker could compromise an existing DAG author's account.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2024-39877?
Available Upgrade Options
- apache-airflow
- >2.4.0, <2.9.3 → Upgrade to 2.9.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/40522
- https://github.com/apache/airflow/pull/40522
- https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
- https://osv.dev/vulnerability/PYSEC-2024-190
- https://github.com/apache/airflow/pull/40522
- https://osv.dev/vulnerability/GHSA-g5hv-r743-v8pm
- https://github.com/apache/airflow
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2024-39877
- http://www.openwall.com/lists/oss-security/2024/07/16/7
What are Similar Vulnerabilities to BIT-airflow-2024-39877?
Similar Vulnerabilities: CVE-2023-46233 , CVE-2023-46232 , CVE-2022-44641 , CVE-2022-43228 , CVE-2022-39327
