CVE-2022-40127

Published: Nov 14, 2022Modified: Apr 30, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

Affected (1)

Products: Apache: Airflow

Apache

1 product

Airflow

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Airflow	Before 2.4.0

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

http://www.openwall.com/lists/oss-security/2022/11/14/2

Source: security@apache.org

Mailing ListThird Party Advisory

https://github.com/apache/airflow/pull/25960

Source: security@apache.org

PatchThird Party Advisory

https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy

Source: security@apache.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2022/11/14/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://github.com/apache/airflow/pull/25960

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.