CVE-2022-41131

CWE-78OS Command Injection4 documents4 sources
Severity
7.8HIGH
EPSS
1.0%
top 22.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache Software Foundation Apache Airflow Hive ProviderApache AirflowApache Apache-airflow-providers-apache-hive+1 more
Timeline
PublishedNov 22

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you nee

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

NVDapache/airflow< 2.3.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
OS Command Injection in Apache Airflow2022-11-22
CVEList
Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)2022-11-22
GHSA
OS Command Injection in Apache Airflow2022-11-22
CVE-2022-41131 (HIGH CVSS 7.8) | Improper Neutralization of Special | cvebase.io