diff --git a/advisories/github-reviewed/2024/09/GHSA-c392-whpc-vfpr/GHSA-c392-whpc-vfpr.json b/advisories/github-reviewed/2024/09/GHSA-c392-whpc-vfpr/GHSA-c392-whpc-vfpr.json index 9a6c62ff84c80..6fa09dd2f7136 100644 --- a/advisories/github-reviewed/2024/09/GHSA-c392-whpc-vfpr/GHSA-c392-whpc-vfpr.json +++ b/advisories/github-reviewed/2024/09/GHSA-c392-whpc-vfpr/GHSA-c392-whpc-vfpr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c392-whpc-vfpr", - "modified": "2024-09-09T18:17:00Z", + "modified": "2024-09-09T18:17:01Z", "published": "2024-09-07T09:30:31Z", "aliases": [ "CVE-2024-45498" @@ -9,10 +9,6 @@ "summary": "Apache Airflow vulnerable to Improper Encoding or Escaping of Output", "details": "Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.", "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" @@ -29,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.10.0" }, { "fixed": "2.10.1"