[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example
From: Jarek Potiuk <potiuk () apache ! org>
Date: 2022-11-13 22:48:47
Message-ID: e300bb4d-e2ce-79e2-42fc-7ddcd4602a42 () apache ! org
[Download RAW message or body]
Severity: low
Description:
A vulnerability in Example Dags of Apache Airflow allows an attacker with =
UI access who can trigger DAGs, to execute arbitrary commands via manually =
provided run_id parameter. This issue affects Apache Airflow Apache =
Airflow versions prior to 2.4.0.
Mitigation:
Do not enable example dags on systems that should not allow UI user to =
execute an arbitrary command.
Credit:
Apache Airflow PMC would like to thank L3yx of Syclover Security Team.
References:
https://github.com/apache/airflow/pull/25960
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic