CVE-2024-49767

[lewijw]

Apache Airflow version

2.10.3

If "Other Airflow 2 version" selected, which one?

No response

What happened?

CVE-2024-49767 looks similar to CVE-2023-46136:

#36915

Is it also true for this CVE that "Airflow is not likely vulnerable"?

What you think should happen instead?

No response

How to reproduce

NA

Operating System

All

Versions of Apache Airflow Providers

No response

Deployment

Other

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[amoghrajesh]

Please use the security policy to report CVEs and any security related issues: https://github.com/apache/airflow?tab=security-ov-file#readme

[lewijw]

The CVE is public. Do you really want everyone that runs a scan on Airflow to contact the security email address to ask this question?

[eladkal]

Do you really want everyone that runs a scan on Airflow to contact the security email address to ask this question?

Our policy states that we do not accept reports of automated scans. If you believe Airflow is affected by any security issue you should report to the security email address with clear explnation of what the risk is and how it can be exploited. If you can't specify how it can be exploited the report will be automatically rejected. There are dozens of automated tools that generated many false report and there are many people who reports thoughts/concerns/questions. As open source project that is consistent mostly with volunteers we can not triage and handle such traffic volume so we expect the reporter to do the extra mile and verify that the problem being reported is real.

You are also very welcome to raise your thoughts on the poicy itself with the same email if you believe it should change and can offer reasoning for it.

[Uditmittal]

Any update on this thread or any plan.

[potiuk]

Airflow 3 is moving away from flask and Werkzeug (and Connexion 2 that is blocking is from releasing to later version of Werkzeug).

That's the plan.

And as explained before several times - you can still do a lot of stuff on your own and invest your money and time and energy (yes also yours @lewijw and your company) to do something about it.

Airlfow is generally upgrading to latest versions of dependencies with every new release - unless it's blocked by something - like this is the case. Also Airflow is run by volunters and deliver their software under the umbrella of Apache Software Foundation (Opsn Source Steward) for free without any guarantees (please read the ASF 2 licence).

And even according to planned regulations that are coming - CRA - it's the commercial users of Airlfow (those who put the software on the market) are responsible to check and verify if the software they release is bug free.

We are a good steward - we are following pretty much absolutely best practices for security out there. We are following very well established and governed procesesto make airlfow non-vulnerable and we do reasonable efforts there, but there are certain situations where others should take action. Especially if they want to make sure that the "scans" of all the dependencies they have does not contain any vulnerabilities. This is very clearly stated in our Security Policy - please read the policy.

You (not us - we already made our decision to get rid of the dependencies that are problematic - i.e. Connexion 2 - in Airflow 3) can do a number of things there, if you - commercial users of Airlfow - believe that Airflow is vulnerable (we don't think so) - you have several options where you can spend your time and energy (and eventually possibly help other commercial users of Airflow and have better certainty about this particular issue.

1. you can spend your efforts, time, energy and money to try to reproduce the issue show how it impacsts Airflow and report it privately following our security policy.

2. you can also pay some security researchers to produce an in-depth analysis on why Airlfow is not vulnerable and publish results here. That would ba a nice way how you can make others more certain that they can "tick-off" that report and say "not vulnerable".

3. you can raise simiilar issue to Connexion. The Connexion 2 is the one that is blocking us from upgrading Werkzeug. We attempted to migrate to Connexion 3 ([DRAFT] Switch to Connexion 3 framework #39055) - but this has proven to be very problematic and not-sustainable, so for Airlfow 3 we are getting rid of whole set of dependencies that are main reason of these problems (we are replacing Connexion with Fast API which is much better maintained and future-proof). This is the course of action we can do as maintainers

So you are absolutely not blocked here: you can do 1) 2) or 3) - depending when you want to spend your time energy and money to get that question answered. @lewijw as you are the one who created the issue, I guess you are really vested into knowing the answer, so in the spirit of community, giving back and contributing back, I think this might be a good idea that you take the lead on that.

Also @Uditmittal -> if you would like to take on any of those tasks, feel free.