CVE-2022-24288

Summary

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Airflowunspecified < 2.2.4affected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Workarounds

This can be mitigated by ensuring [core] load_examples is set to False.

ADP Enrichment

CVE Program Container

Additional References

References