CVE-2024-39877: Apache Airflow has DAG Author Code Execution possibility in airflow-scheduler
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.3264%
CWE
Published
7/17/2024
Updated
1/21/2025
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| apache-airflow | pip | >= 2.4.0, < 2.9.3 | 2.9.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the get_doc_md method's template rendering logic shown in the commit diff. The original code (before patching) used jinja2.Template() and env.get_template() to process doc_md, enabling code execution via template injection. The patch removed all Jinja rendering, confirming this was the attack vector. The function's role in processing user-controlled doc_md parameters matches the CWE-94 (Code Injection) description in the advisory.