{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T19:56:47.429","vulnerabilities":[{"cve":{"id":"CVE-2024-39877","sourceIdentifier":"security@apache.org","published":"2024-07-17T08:15:02.073","lastModified":"2024-11-21T09:28:28.910","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability."},{"lang":"es","value":"Apache Airflow 2.4.0 y versiones anteriores a 2.9.3 tienen una vulnerabilidad que permite a los autores de DAG autenticados crear un parámetro doc_md de manera que pueda ejecutar código arbitrario en el contexto del programador, lo que debería estar prohibido según el modelo de seguridad de Airflow. Los usuarios deben actualizar a la versión 2.9.3 o posterior, que eliminó la vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-277"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.0","versionEndExcluding":"2.9.3","matchCriteriaId":"7AFAC89A-220F-4E86-BB03-8F9439217EEA"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/40522","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1","source":"security@apache.org","tags":["Mailing List"]},{"url":"http://www.openwall.com/lists/oss-security/2024/07/16/7","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/apache/airflow/pull/40522","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}}]}