Jinja2 vulnerability CVE-2024-34064 for 3.1.3 and lower #39710
-
|
Hi Team , Do we have plans of upgrading the dependency of jinja 2 to >3.1.3 ? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Apache Airflow internally do not use There is no upper bound limit for Line 451 in 79cf7e0 There is also no known limits from other dependencies root@989fbc6d536f:/opt/airflow# pipdeptree --package jinja2 -r
Jinja2==3.1.4
├── apache-airflow==2.10.0.dev0 [requires: Jinja2>=3.0.0]
├── diagrams==0.23.4 [requires: Jinja2>=2.10,<4.0]
├── Flask==2.2.5 [requires: Jinja2>=3.0]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask>=2.2,<2.3]
│ ├── connexion==2.14.2 [requires: Flask>=1.0.4,<2.3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: connexion>=2.10.0,<3.0]
│ ├── Flask-AppBuilder==4.4.1 [requires: Flask>=2,<3.0.0]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Babel==2.0.0 [requires: Flask]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Babel>=1,<3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Bcrypt==1.0.1 [requires: Flask]
│ ├── Flask-Caching==2.3.0 [requires: Flask]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-Caching>=1.5.0]
│ ├── Flask-JWT-Extended==4.6.0 [requires: Flask>=2.0,<4.0]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-JWT-Extended>=4.0.0,<5.0.0]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Limiter==3.6.0 [requires: Flask>=2]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Limiter>3,<4]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Login==0.6.3 [requires: Flask>=1.0.4]
│ │ ├── apache-airflow==2.10.0.dev0 [requires: Flask-Login>=0.6.2]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-Login>=0.3,<0.7]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ ├── Flask-Session==0.5.0 [requires: Flask>=2.2]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-Session>=0.4.0,<0.6]
│ ├── Flask-SQLAlchemy==2.5.1 [requires: Flask>=0.10]
│ │ └── Flask-AppBuilder==4.4.1 [requires: Flask-SQLAlchemy>=2.4,<3]
│ │ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
│ └── Flask-WTF==1.2.1 [requires: Flask]
│ ├── apache-airflow==2.10.0.dev0 [requires: Flask-WTF>=0.15]
│ └── Flask-AppBuilder==4.4.1 [requires: Flask-WTF>=0.14.2,<2]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── Flask-Babel==2.0.0 [requires: Jinja2>=2.5]
│ └── Flask-AppBuilder==4.4.1 [requires: Flask-Babel>=1,<3]
│ └── apache-airflow==2.10.0.dev0 [requires: Flask-AppBuilder==4.4.1]
├── moto==5.0.6 [requires: Jinja2>=2.10.1]
├── python-nvd3==0.16.0 [requires: Jinja2>=2.8]
│ └── apache-airflow==2.10.0.dev0 [requires: python-nvd3>=0.15.0]
├── Sphinx==5.3.0 [requires: Jinja2>=3.0]
│ ├── sphinx-airflow-theme==0.0.12 [requires: Sphinx>=1.8]
│ ├── sphinx-argparse==0.4.0 [requires: Sphinx>=1.2.0]
│ ├── sphinx-autoapi==2.1.1 [requires: Sphinx>=5.2.0]
│ ├── sphinx-copybutton==0.5.2 [requires: Sphinx>=1.8]
│ ├── sphinx_design==0.5.0 [requires: Sphinx>=5,<8]
│ ├── sphinx-jinja==2.0.2 [requires: Sphinx>4.2.0]
│ ├── sphinx-rtd-theme==2.0.0 [requires: Sphinx>=5,<8]
│ ├── sphinxcontrib-httpdomain==1.8.1 [requires: Sphinx>=1.6]
│ ├── sphinxcontrib-jquery==4.1 [requires: Sphinx>=1.8]
│ │ └── sphinx-rtd-theme==2.0.0 [requires: sphinxcontrib-jquery>=4,<5]
│ ├── sphinxcontrib-redoc==1.6.0 [requires: Sphinx>=1.5]
│ └── sphinxcontrib-spelling==8.0.0 [requires: Sphinx>=3.0.0]
├── sphinx-autoapi==2.1.1 [requires: Jinja2]
├── sphinx-jinja==2.0.2 [requires: Jinja2>=2.11]
├── sphinxcontrib-redoc==1.6.0 [requires: Jinja2>=2.4]
└── towncrier==23.11.0 [requires: Jinja2]If you would like to upgrade Jinja2 you might raise a PR with changes, place make sure that you at least configure Static code checks locally, because change dependencies reflected in multiple different places and pre-commit check help with care about it |
Beta Was this translation helpful? Give feedback.
-
|
Sure , Thanks on this , We have seen the dependency in the latest constraints file for airflow so raised the discussion . If we don't have an upper limit for jinja2 i think we should be good here . |
Beta Was this translation helpful? Give feedback.
-
|
Constraints exists for provide reproducible setup, and it usually doesn't changes after Airflow released, there is exception for this rule, when with provided constraints Airflow or Community providers doesn't work, e.g. some upper-bound incompatibilities You could download constraints, change it for whatever value you want and provide custom constraints to |
Beta Was this translation helpful? Give feedback.
-
|
Yes understand , Will follow the same to update my constraints and provide pip the custom constraints . Thanks Will mark this discussion as closed from my end . |
Beta Was this translation helpful? Give feedback.
Apache Airflow internally do not use
xmlattrfilter so this CVE do not affect Airflow itself, unless some one use directly filter in places where it could provide vulnerability.There is no upper bound limit for
jinja2dependency, e.g. there is no limit to upgrade a Jinjaairflow/hatch_build.py
Line 451 in 79cf7e0
There is also no known limits from other dependencies