Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-39877 #2986

Closed
GoVulnBot opened this issue Jul 17, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-39877 #2986

GoVulnBot opened this issue Jul 17, 2024 · 1 comment
Assignees
@tatianab
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-39877 references a vulnerability in the following Go modules:

Module
github.com/apache/airflow

Description:
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
summary: CVE-2024-39877 in github.com/apache/airflow
cves:
    - CVE-2024-39877
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39877
    - fix: https://github.com/apache/airflow/pull/40522
    - web: https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
source:
    id: CVE-2024-39877
    created: 2024-07-17T09:01:14.553988078Z
review_status: UNREVIEWED
@tatianab tatianab added possibly not Go triaged excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed possibly not Go labels Jul 17, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/599457 mentions this issue: data/excluded,data/reports: add 6 reports

@tatianab tatianab self-assigned this Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot