'[oss-security] CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example
From:       Jarek Potiuk <potiuk () apache ! org>
Date:       2022-11-13 22:48:47
Message-ID: e300bb4d-e2ce-79e2-42fc-7ddcd4602a42 () apache ! org
[Download RAW message or body]

Severity: low

Description:

A vulnerability in Example Dags of Apache Airflow allows an attacker with =
UI access who can trigger DAGs, to execute arbitrary commands via manually =
provided run_id parameter.  This issue affects Apache Airflow Apache =
Airflow versions prior to 2.4.0.

Mitigation:

Do not enable example dags on systems that should not allow UI user to =
execute an arbitrary command.

Credit:

Apache Airflow PMC would like to thank L3yx of Syclover Security Team.

References:

https://github.com/apache/airflow/pull/25960

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic