Apache Product Security Update Advisory (CVE-2024-39877, CVE-2024-41107)
Overview
Apache has released updates to fix vulnerabilities in their products. Users of affected versions are advised to update to the latest version.
Affected Products
CVE-2024-39877
- Apache-airflow version: 2.4.0
- Apache-airflow version: ~ 2.9.3 (excluded)
CVE-2024-41107
- Apache CloudStack versions: 4.5.0 (inclusive) ~ 4.18.2.1 (inclusive)
- Apache CloudStack versions: 4.19.0.0 (inclusive) ~ 4.19.0.2 (inclusive)
Resolved Vulnerabilities
Vulnerability where an authenticated DAG author could craft the doc_md parameter in a way that could allow arbitrary code execution in the context of the scheduler (CVE-2024-39877)
Signature verification was not performed in SAML authentication in CloudStack, allowing an attacker to bypass authentication with a forged SAML response (CVE-2024-41107)
Vulnerability Patches
Vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-39877
- Apache-airflow version: 2.9.3
CVE-2024-41107
- Apache CloudStack version: 4.18.22 or later
- Apache CloudStack version: 4.19.01.0 or later
Referenced Sites
[1] CVE-2024-39877 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-39877
[2] Disable rendering for doc_md
https://github.com/apache/airflow/pull/40522
[3] CVE-2024-41107 Detail
disable rendering for doc_md https://nvd.nist.gov/vuln/detail/CVE-2024-41107
[4] openwall