Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-24288OS Command Injection in Software Foundation Apache Airflow

CWE-78OS Command Injection8 documents7 sources
Severity
8.8HIGHNVD
EPSS
89.1%
top 0.47%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedFeb 25
Latest updateApr 1

Description

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDapache/airflow< 2.2.4
CVEListV5apache_software_foundation/apache_airflowunspecified2.2.4

🔴Vulnerability Details

5
GHSA
OS Command injection in Apache Airflow2022-02-26
OSV
OS Command injection in Apache Airflow2022-02-26
OSV
CVE-2022-24288: In Apache Airflow, prior to version 22022-02-25
CVEList
Apache Airflow: RCE in example DAGs2022-02-25
VulnCheck
Apache Airflow Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2022

💥Exploits & PoCs

1
Nuclei
Apache Airflow OS Command Injection

💬Community

1
HackerOne
CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs2022-04-01
CVE-2022-24288 — OS Command Injection | cvebase