[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-24288: Apache Airflow: RCE in example DAGs
From:       Jedidiah Cunningham <jedcunningham () apache ! org>
Date:       2022-02-24 18:01:16
Message-ID: e22399f1-15c2-da7b-5786-1368aaf87a4d () apache ! org
[Download RAW message or body]

Severity: high

Description:

In Apache Airflow, prior to version 2.2.4, some example DAGs did not =
properly sanitize user-provided params, making them susceptible to OS =
Command Injection from the web UI.

Mitigation:

This can be mitigated by ensuring `[core] load_examples` is set to `False`.=


Credit:

The Apache Airflow PMC would like to thank Kai Zhao of the TToU Security =
Team for reporting this issue.

[prev in list] [next in list] [prev in thread] [next in thread]