github · advisory-database · Nov 25, 2024 · Nov 25, 2024
diff --git a/advisories/github-reviewed/2024/09/GHSA-c392-whpc-vfpr/GHSA-c392-whpc-vfpr.json b/advisories/github-reviewed/2024/09/GHSA-c392-whpc-vfpr/GHSA-c392-whpc-vfpr.json
@@ -1,18 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c392-whpc-vfpr",
-  "modified": "2024-09-09T18:17:00Z",
+  "modified": "2024-09-09T18:17:01Z",
   "published": "2024-09-07T09:30:31Z",
   "aliases": [
     "CVE-2024-45498"
   ],
   "summary": "Apache Airflow vulnerable to Improper Encoding or Escaping of Output",
   "details": "Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see  https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
@@ -29,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "2.10.0"
             },
             {
               "fixed": "2.10.1"