First published: Mon Nov 14 2022(Updated: )
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
pip/apache-airflow | <2.4.0 | 2.4.0 |
Apache Airflow | <2.4.0 | |
<2.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-40127 is a vulnerability in Example Dags of Apache Airflow that allows an attacker with UI access to execute arbitrary commands via manually provided run_id parameter.
The severity of CVE-2022-40127 is high (CVSS score: 8.8).
CVE-2022-40127 affects Apache Airflow versions prior to 2.4.0.
An attacker with UI access who can trigger DAGs can exploit CVE-2022-40127 by executing arbitrary commands via the manually provided run_id parameter.
To fix CVE-2022-40127, upgrade to Apache Airflow version 2.4.0 or later.