oss-sec mailing list archives
CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example
From: Jarek Potiuk <potiuk () apache org>
Date: Sun, 13 Nov 2022 22:48:47 +0000
Severity: low Description: A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. Mitigation: Do not enable example dags on systems that should not allow UI user to execute an arbitrary command. Credit: Apache Airflow PMC would like to thank L3yx of Syclover Security Team. References: https://github.com/apache/airflow/pull/25960
Current thread:
- CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example Jarek Potiuk (Nov 14)