Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache Airflow 远程代码执行漏洞 #321

Open
foyaga opened this issue Jul 17, 2024 · 0 comments
Open

Apache Airflow 远程代码执行漏洞 #321

foyaga opened this issue Jul 17, 2024 · 0 comments
Labels
watchvuln watchvuln推送

Comments

@foyaga
Copy link
Owner

foyaga commented Jul 17, 2024

漏洞描述:

Apache Airflow 是一个开源的工作流自动化平台,它允许用户定义、调度和监视工作流任务的执行。
受影响版本的 Airflow 会将 DAG 属性中的 doc_md 参数进行Jinja2模板渲染,攻击者可控制 doc_md 参数进而执行任意代码。
修复版本中修改为直接输出文档内容,从而防止恶意代码执行。

参考链接:

  1. https://www.oscs1024.com/hd/MPS-d1sl-34fx
  2. apache/airflow@732a0e2
  3. Disable rendering for doc_md apache/airflow#40522
@foyaga foyaga added the watchvuln watchvuln推送 label Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
watchvuln watchvuln推送
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@foyaga