{"id":"PYSEC-2024-264","details":"Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. \nUsers are recommended to upgrade to version 2.9.1, which fixes this issue.","aliases":["BIT-airflow-2024-32077","CVE-2024-32077","GHSA-52gm-qmg3-r4qp"],"modified":"2026-05-21T15:00:18.145915890Z","published":"2024-05-14T16:17:01.970Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2024/05/14/1"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/gsjmnrqb3m5fzp0vgpty1jxcywo91v77"},{"type":"FIX","url":"https://github.com/apache/airflow/pull/38882"}],"affected":[{"package":{"name":"apache-airflow","ecosystem":"PyPI","purl":"pkg:pypi/apache-airflow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"2.9.0-NA"},{"last_affected":"2.9.0-beta1"},{"last_affected":"2.9.0-beta2"},{"last_affected":"2.9.0-rc1"},{"last_affected":"2.9.0-rc2"},{"last_affected":"2.9.0-rc3"}]}],"versions":["2.9.0b1","2.9.0b2","2.9.0rc1","2.9.0rc2","2.9.0rc3"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2024-264.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}