[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-41131: Apache Airflow Hive Provider vulnerability (command injection via hiv
From:       Jarek Potiuk <potiuk () apache ! org>
Date:       2022-11-21 20:48:59
Message-ID: 91533482-24c2-5c74-ada0-ecfdbfcca7f0 () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

Improper Neutralization of Special Elements used in an OS Command ('OS =
Command Injection') vulnerability in Apache Airflow Hive Provider, Apache =
Airflow allows an attacker to execute arbtrary commands in the task =
execution context, without write access to DAG files. This issue affects =
Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow =
versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4=
.1.0 can only be installed for Airflow 2.3.0+). Note that you need to =
manually install the HIve Provider version 4.1.0 in order to get rid of the=
 vulnerability on top of Airflow 2.3.0+ version that has lower version of =
the Hive Provider installed).


Credit:

Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for =
reporting the issue.

References:

https://github.com/apache/airflow/pull/27647

[prev in list] [next in list] [prev in thread] [next in thread]