[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-24288: Apache Airflow: RCE in example DAGs
From: Jedidiah Cunningham <jedcunningham () apache ! org>
Date: 2022-02-24 18:01:16
Message-ID: e22399f1-15c2-da7b-5786-1368aaf87a4d () apache ! org
[Download RAW message or body]
Severity: high
Description:
In Apache Airflow, prior to version 2.2.4, some example DAGs did not =
properly sanitize user-provided params, making them susceptible to OS =
Command Injection from the web UI.
Mitigation:
This can be mitigated by ensuring `[core] load_examples` is set to `False`.=
Credit:
The Apache Airflow PMC would like to thank Kai Zhao of the TToU Security =
Team for reporting this issue.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic