[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-38649: Apache Airflow Pinot Provider, Apache Airflow: PinotAdminHook Command
From: Jarek Potiuk <potiuk () apache ! org>
Date: 2022-11-21 20:24:03
Message-ID: d342cc67-4b93-1ea2-1e9e-6bdf17605f7c () apache ! org
[Download RAW message or body]
Severity: moderate
Description:
Improper Neutralization of Special Elements used in an OS Command ('OS =
Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache =
Airflow allows an attacker to control commands executed in the task =
execution context, without write access to DAG files. This issue affects =
Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any =
Apache Airflow versions prior to 2.3.0 in case Apache Airlfow Pinot =
Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be =
installed for Airflow 2.3.0+). Note that you need to manually install the =
Pinot Provider version 4.0.0 in order to get rid of the vulnerability on =
top of Airflow 2.3.0+ version.
Credit:
Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for =
reporting the issue.
References:
https://github.com/apache/airflow/pull/27641
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic