CVE-2022-40127

🗓️ 14 Nov 2022 00:00:00Reported by apacheType

cve🔗 web.nvd.nist.gov📰️ 10 Media mentions👁 111 Views🌐 WEB

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow versions prior to 2.4.0

Reporter	Title	Published	Views	Family All 22
GithubExploit	Exploit for Code Injection in Apache Airflow	21 Jul 202312:55	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Airflow	21 Jul 202312:55	–	githubexploit
Circl	CVE-2022-40127	19 Nov 202213:07	–	circl
CNNVD	Apache Airflow 代码注入漏洞	14 Nov 202200:00	–	cnnvd
CNVD	Apache Airflow code injection vulnerability	17 Nov 202200:00	–	cnvd
Cvelist	CVE-2022-40127 Apache Airflow <2.4.0 has an RCE in a bash example	14 Nov 202200:00	–	cvelist
Github Security Blog	Apache Airflow vulnerable to OS Command Injection via example DAGs	14 Nov 202212:00	–	github
Hacker One	Internet Bug Bounty: CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example	17 Nov 202200:43	–	hackerone
Nuclei	AirFlow < 2.4.0 - Remote Code Execution	6 Jun 202603:01	–	nuclei
NVD	CVE-2022-40127	14 Nov 202210:15	–	nvd

NVD

Vulners

Node

apache airflowRange<2.4.0

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Airflow",
    "versions": [
      {
        "version": "Apache Airflow",
        "status": "affected",
        "lessThan": "2.4.0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
openwall	www.openwall.com/lists/oss-security/2022/11/14/2
github	www.github.com/apache/airflow/pull/25960
lists	www.lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy