CVE-2022-38362 — Software Foundation Apache Airflow vulnerability

5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 27.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Apache-airflow-providers-docker

Timeline

PublishedAug 16

Latest updateSep 23

Description

Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/apache-airflow-providers-docker< 3.0.0

▶CVEListV5apache_software_foundation/apache_airflowApache Airflow Docker Provider — 3.0.0

🔴Vulnerability Details

OSV

Remote code execution in Apache Airflow Docker's Provider↗2022-08-17

▶

GHSA

Remote code execution in Apache Airflow Docker's Provider↗2022-08-17

▶

CVEList

Docker Provider <3.0 RCE vulnerability in example dag↗2022-08-16

▶

💬Community

HackerOne

CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag↗2022-09-23

▶