Jinja2 vulnerability CVE-2024-34064 for 3.1.3 and lower #39710
-
Hi Team , Do we have plans of upgrading the dependency of jinja 2 to >3.1.3 ? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
Apache Airflow internally do not use There is no upper bound limit for Line 451 in 79cf7e0 There is also no known limits from other dependencies root@989fbc6d536f:/opt/airflow# pipdeptree --package jinja2 -r
Jinja2==3.1.4
├── apache-airflow==2.10.0.dev0 [requires: Jinja2>=3.0.0]
├── diagrams==0.23.4 [requires: Jinja2>=2.10,<4.0]
├── Flask==2.2.5 [requires: Jinja2>=3.0]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│ ├── connexion==2.14.2 [requires: Flask>=1.0.4,<2.3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: connexion>=2.10.0,<3.0]
│ ├── Flask-AppBuilder==4.4.1 [requires: Flask>=2,<3.0.0]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Babel==2.0.0 [requires: Flask]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Babel>=1,<3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Bcrypt==1.0.1 [requires: Flask]
│ ├── Flask-Caching==2.3.0 [requires: Flask]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-Caching>=1.5.0]
│ ├── Flask-JWT-Extended==4.6.0 [requires: Flask>=2.0,<4.0]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-JWT-Extended>=4.0.0,<5.0.0]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Limiter==3.6.0 [requires: Flask>=2]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Limiter>3,<4]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Login==0.6.3 [requires: Flask>=1.0.4]
│ │ ├── apache-airflow==2.10.0.dev0 [requires: Flask-Login>=0.6.2]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Login>=0.3,<0.7]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Session==0.5.0 [requires: Flask>=2.2]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-Session>=0.4.0,<0.6]
│ ├── Flask-SQLAlchemy==2.5.1 [requires: Flask>=0.10]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-SQLAlchemy>=2.4,<3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ └── Flask-WTF==1.2.1 [requires: Flask]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask-WTF>=0.15]
│ └── Flask-AppBuilder==4.4.1 [requires: Flask-WTF>=0.14.2,<2]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-Babel==2.0.0 [requires: Jinja2>=2.5]
│ └── Flask-AppBuilder==4.4.1 [requires: Flask-Babel>=1,<3]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── moto==5.0.6 [requires: Jinja2>=2.10.1]
├── python-nvd3==0.16.0 [requires: Jinja2>=2.8]
│ └── apache-airflow==2.10.0.dev0 [requires: python-nvd3>=0.15.0]
├── Sphinx==5.3.0 [requires: Jinja2>=3.0]
│ ├── sphinx-airflow-theme==0.0.12 [requires: Sphinx>=1.8]
│ ├── sphinx-argparse==0.4.0 [requires: Sphinx>=1.2.0]
│ ├── sphinx-autoapi==2.1.1 [requires: Sphinx>=5.2.0]
│ ├── sphinx-copybutton==0.5.2 [requires: Sphinx>=1.8]
│ ├── sphinx_design==0.5.0 [requires: Sphinx>=5,<8]
│ ├── sphinx-jinja==2.0.2 [requires: Sphinx>4.2.0]
│ ├── sphinx-rtd-theme==2.0.0 [requires: Sphinx>=5,<8]
│ ├── sphinxcontrib-httpdomain==1.8.1 [requires: Sphinx>=1.6]
│ ├── sphinxcontrib-jquery==4.1 [requires: Sphinx>=1.8]
│ │ └── sphinx-rtd-theme==2.0.0 [requires: sphinxcontrib-jquery>=4,<5]
│ ├── sphinxcontrib-redoc==1.6.0 [requires: Sphinx>=1.5]
│ └── sphinxcontrib-spelling==8.0.0 [requires: Sphinx>=3.0.0]
├── sphinx-autoapi==2.1.1 [requires: Jinja2]
├── sphinx-jinja==2.0.2 [requires: Jinja2>=2.11]
├── sphinxcontrib-redoc==1.6.0 [requires: Jinja2>=2.4]
└── towncrier==23.11.0 [requires: Jinja2] If you would like to upgrade Jinja2 you might raise a PR with changes, place make sure that you at least configure Static code checks locally, because change dependencies reflected in multiple different places and pre-commit check help with care about it |
Beta Was this translation helpful? Give feedback.
Apache Airflow internally do not use
xmlattr
filter so this CVE do not affect Airflow itself, unless some one use directly filter in places where it could provide vulnerability.There is no upper bound limit for
jinja2
dependency, e.g. there is no limit to upgrade a Jinjaairflow/hatch_build.py
Line 451 in 79cf7e0
There is also no known limits from other dependencies