CVE-2022-40127
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow | Apache Airflow < 2.4.0 | affected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
Workarounds
Do not enable example dags on systems that should not allow UI user to execute an arbitrary command.
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/apache/airflow/pull/25960
- https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
- http://www.openwall.com/lists/oss-security/2022/11/14/2
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/apache/airflow/pull/25960
- https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
- http://www.openwall.com/lists/oss-security/2022/11/14/2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.