漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Vulnerability Description
A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the `[core] allowed_deserialization_classes` config to a narrow allowlist.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
Apache Airflow 反序列化注入漏洞
Vulnerability Description
Apache Software Foundation Apache Airflow是Apache Software Foundation基金会的开源工作流调度与数据管道编排平台。 Apache Airflow 3.3.0之前版本存在反序列化注入漏洞,该漏洞源于BaseSerialization.deserialize()在Scheduler/API Server加载序列化DAG时,允许无限制地import_string()攻击者控制的类路径,导致DAG作者可嵌入恶意触发实现远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A