CVE-2022-41131

Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).

Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo ('inyección de comando del sistema operativo') en Apache Airflow Hive Provider, Apache Airflow permite a un atacante ejecutar comandos arbitrarios en el contexto de ejecución de la tarea, sin acceso de escritura a los archivos DAG. Este problema afecta a las versiones del proveedor Hive anteriores a la 4.1.0. También afecta cualquier versión de Apache Airflow anterior a la 2.3.0 en caso de que esté instalado HIve Provider (Hive Provider 4.1.0 solo se puede instalar para Airflow 2.3.0+). Tenga en cuenta que debe instalar manualmente la versión 4.1.0 del proveedor Hive para eliminar la vulnerabilidad además de la versión 2.3.0+ de Airflow que tiene instalada una versión inferior del proveedor Hive).

*Credits: Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for reporting the issue.

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-19 CVE Reserved
2022-11-22 CVE Published
2024-06-14 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (2)

URL	Tag	Source
https://lists.apache.org/thread/wwo3qp0z8gv54yzn7hr04wy4n8gb0vhl	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/apache/airflow/pull/27647	2022-11-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Airflow Search vendor "Apache" for product "Airflow"				< 2.3.0 Search vendor "Apache" for product "Airflow" and version " < 2.3.0"		-		Affected
Apache Search vendor "Apache"		Apache-airflow-providers-apache-hive Search vendor "Apache" for product "Apache-airflow-providers-apache-hive"				< 4.1.0 Search vendor "Apache" for product "Apache-airflow-providers-apache-hive" and version " < 4.1.0"		-		Affected