CVE-2022-40127
Apache Airflow <2.4.0 has an RCE in a bash example
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
Una vulnerabilidad en Dags de ejemplo de Apache Airflow permite a un atacante con acceso a la interfaz de usuario que puede activar DAG ejecutar comandos arbitrarios a través del parámetro run_id proporcionado manualmente. Este problema afecta a las versiones de Apache Airflow Apache Airflow anteriores a la 2.4.0.
*Credits:
Apache Airflow PMC would like to thank L3yx of Syclover Security Team.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-09-06 CVE Reserved
- 2022-11-14 CVE Published
- 2022-11-19 First Exploit
- 2024-08-03 CVE Updated
- 2025-04-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2022/11/14/2 | Mailing List |
|
| https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy | Mailing List |
| URL | Date | SRC |
|---|---|---|
| https://github.com/Mr-xn/CVE-2022-40127 | 2022-11-19 | |
| https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE | 2023-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/apache/airflow/pull/25960 | 2022-11-16 |
| URL | Date | SRC |
|---|