CVE-2024-39877: Apache Airflow Security Update Addresses Code Execution Vulnerability

CVE-2024-39877 & CVE-2024-45784

Apache Airflow, the popular open-source workflow management platform, has released a security update to address a potentially severe code execution vulnerability (CVE-2024-39877) affecting versions 2.4.0 through 2.9.2. This vulnerability could allow authenticated DAG authors to execute arbitrary code within the scheduler context, potentially compromising the security and integrity of Airflow environments.

CVE-2024-39877

The vulnerability stems from the way Airflow handles the doc_md parameter, allowing malicious actors to inject code that executes within the scheduler’s context. This could enable attackers to gain unauthorized access to sensitive data, disrupt workflows, or even take control of the entire Airflow system.

All users running Apache Airflow versions 2.4.0 through 2.9.2 are vulnerable to this code execution flaw. Organizations and individuals utilizing Airflow for workflow orchestration are strongly advised to take immediate action to protect their systems.

The Apache Airflow team has promptly addressed this vulnerability in version 2.9.3. Upgrading to this latest version is the most effective way to mitigate the risk of exploitation. The update also includes a fix for a potential cross-site scripting (XSS) vulnerability (CVE-2024-39863) that could allow attackers to inject malicious links during provider installation.