CVE-2022-40189

Apache Airlfow Pig Provider RCE

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.

Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo ('inyección de comando del sistema operativo') en Apache Airflow Pig Provider, Apache Airflow permite a un atacante controlar los comandos ejecutados en el contexto de ejecución de la tarea, sin acceso de escritura a los archivos DAG. Este problema afecta a las versiones de Pig Provider anteriores a la 4.0.0. También afecta cualquier versión de Apache Airflow anterior a la 2.3.0 en caso de que Pig Provider esté instalado (Pig Provider 4.0.0 solo se puede instalar para Airflow 2.3.0+). Tenga en cuenta que debe instalar manualmente Pig Provider versión 4.0.0 para eliminar la vulnerabilidad además de la versión Airflow 2.3.0+.

*Credits: Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for reporting the issue.

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-08 CVE Reserved
2022-11-22 CVE Published
2024-06-14 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (2)

URL	Tag	Source
https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/apache/airflow/pull/27644	2022-11-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Airflow Search vendor "Apache" for product "Airflow"				< 2.3.0 Search vendor "Apache" for product "Airflow" and version " < 2.3.0"		-		Affected
Apache Search vendor "Apache"		Apache-airflow-providers-apache-pig Search vendor "Apache" for product "Apache-airflow-providers-apache-pig"				< 4.0.0 Search vendor "Apache" for product "Apache-airflow-providers-apache-pig" and version " < 4.0.0"		-		Affected