Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected.
Support for the Edge3 provider on Airflow 2 was exclusively developmental in nature and was never officially released. However, installing and configuring the Edge3 provider on Airflow 2 implicitly activated an undocumented API created solely for testing purposes during development. This API allowed a DAG author to execute arbitrary code in the context of the Airflow 2 webserver process — that is, with privileges that a DAG author should not normally have. In Airflow 3, the vulnerable code was removed, and Edge3 provider versions >= 2.0.0 require at least Airflow 3.
An attacker with DAG author privileges can execute arbitrary code (RCE) in the context of the Airflow 2 webserver process, which can lead to complete compromise of system confidentiality, integrity, and availability.
The Edge3 provider should be uninstalled from Airflow 2 and migration to Airflow 3 should be performed. Edge3 provider versions >= 2.0.0 require at least Airflow 3 and do not contain vulnerable code — however, it is not possible to use Edge3 provider 2.0.0+ on Airflow 2. If migration to Airflow 3 is not immediately possible, the Edge3 provider should be immediately uninstalled from Airflow 2.
Apache Airflow Providers Edge3 versions before 2.0.0, installed and configured on Apache Airflow 2. Installations based on Airflow 3 are not vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Airflow Providers Edge3
APPApache< 2.0.0
Related vulnerabilities
Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych
Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację
Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie
Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu
RCE w Apache HugeGraph-Server — zdalne wykonanie poleceń bez uwierzytelnienia