oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

From: Jarek Potiuk <potiuk () apache org>
Date: Sun, 13 Nov 2022 22:48:47 +0000
Severity: low

Description:

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute 
arbitrary commands via manually provided run_id parameter.  This issue affects Apache Airflow Apache Airflow versions 
prior to 2.4.0.

Mitigation:

Do not enable example dags on systems that should not allow UI user to execute an arbitrary command.

Credit:

Apache Airflow PMC would like to thank L3yx of Syclover Security Team.

References:

https://github.com/apache/airflow/pull/25960
Previous By Date Next
Previous By Thread Next

Current thread: