CVE-2022-40127

apache/airflow

on github

Published

November 14, 2022

Severity

CVSS v3:

8.8 HIGH

CVSS v2:

N/A

Description

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

References

https://github.com/apache/airflow/pull/25960
https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
http://www.openwall.com/lists/oss-security/2022/11/14/2

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:apache:airflow::::::::	n/a	2.4.0	*

External Links

NVD - CVE-2022-40127