DATABASE RESOURCES PRICING ABOUT US

{"id": "H1:1671140", "vendorId": null, "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag", "description": "Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.\n\n##Vulnerability summary:\nIn DAG script of airflow 2.3.3, there is a command injection vulnerability (RCE) in the script (example_docker_copy_data.py of docker provider), which can obtain the permission of the operating system. \n\nsource path: \nairflow-2.3.3/airflow/providers/docker/example_dags/example_docker_copy_data.py\n\n##Vulnerability details\uff1a\n(1) Vulnerability principle\uff1a\n1. It can be seen from the source code of example_docker_copy_data.py script that there is the function of executing bash command, The parameter \u2018source_location\u2019 in the template expression {{params.source_location}} is externally controllable and rendered through the jiaja2 template: \n\n{F1869746}\n\n2. Further analysis \u201cfrom airflow.operators.bash import BashOperator\u201d code, we can see bash_command parameter value will be executed as a bash script;\n\n{F1869748}\n\n(2)Vulnerability exploit\uff1a\n1. Enter the DAGs menu and start docker_sample_copy_data task, select \u201cTrigger DAG w/ config\u201d. \n\nhttp://192.168.3.17:8080/trigger?dag_id=docker_sample_copy_data\n\n{F1869749}\n\n2. To construct payload, we can separate commands with \u2018;\u2019, so as to inject any operating system commands to be executed(RCE).\n\n{F1869750}\n\nPAYLOAD\uff1a```{\"source_location\":\";touch /tmp/thisistest;\"}```, Then click trigger to execute the task.\n\n{F1869755}\n\nThe final command is as follows:\n```locate_file_cmd = \u201c\u201d\u201d sleep 10\nfind ;touch /tmp/thisistest; -type f -printf \u201c%f\\n\u201d | head -1\n\u201c\u201d\u201d\n```\n\nThrough the log and server view, it can be seen that arbitrary command has been executed successfully.\n\n{F1869756}\n\n{F1869757}\n\n## Impact\n\nAn attacker can execute arbitrary commands on the airflow host.", "published": "2022-08-16T15:02:54", "modified": "2022-09-23T17:16:36", "epss": [{"cve": "CVE-2022-38362", "epss": 0.00065, "percentile": 0.26628, "modified": "2023-06-03"}], "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://hackerone.com/reports/1671140", "reporter": "happyhacking123", "references": [], "cvelist": ["CVE-2022-38362"], "immutableFields": [], "lastseen": "2023-10-17T07:24:44", "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cnvd", "idList": ["CNVD-2022-59057"]}, {"type": "cve", "idList": ["CVE-2022-38362"]}, {"type": "github", "idList": ["GHSA-746V-HFH2-XPHM"]}, {"type": "osv", "idList": ["OSV:GHSA-746V-HFH2-XPHM"]}, {"type": "prion", "idList": ["PRION:CVE-2022-38362"]}, {"type": "veracode", "idList": ["VERACODE:36725"]}]}, "score": {"value": 9.3, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-38362", "epss": 0.00065, "percentile": 0.26512, "modified": "2023-05-02"}], "vulnersScore": 9.3}, "_state": {"dependencies": 1697527852, "score": 1698852850, "epss": 0}, "_internal": {"score_hash": "d5bd8417b835eae47ecfddb928279cce"}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/ibb", "handle": "ibb", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/v0qywgoh5hm4cbhuanu8mqdtowhr/d3dc6b2d7e2dc3657e8861b0d7e2dfca1a6d513dd784c613f4e56738907cea98?response-content-disposition=inline%3B%20filename%3D%22ibb%20revision%205%20copy.png%22%3B%20filename%2A%3DUTF-8%27%27ibb%2520revision%25205%2520copy.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQU26RBXEK%2F20231017%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20231017T072443Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEG8aCXVzLXdlc3QtMiJGMEQCIE4H5u1%2FryaoM80suiwpnxIufDoxJ%2BVNnxiorrq08F6OAiBuynKgwd%2FtAjgndMgcGnoul5yyognWZp2AmApaqZqCBSq7BQiI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAMaDDAxMzYxOTI3NDg0OSIM3UJcxNNN%2FanJEwSsKo8FzKz9y7U%2FR6sT34GLBlxu%2FTxNXQv84L8XHL0AUwKMYzRzLmZqAMqSnhomGtzCuOExbb%2FTeARj4MP1qkfwwN%2BTpiGh9k8S39bpSu7%2BDDKi85HVbWu3loT57g8UfENUcEhn6k7aWDZ8UyKChlC9KEyaO89i7SJAsUUvLhRWAXqtJ%2FiR1Pv0zcrrI3GpsntoEyzI6zuH%2BqSTGN1pmKQBF0KyEka9x2kS5%2B4fDgzSxi5sLy%2FsIAyo01thTL1NGFm%2Be2F6S1%2BICrZhtjpsb2yrnh8shwvM6yQ5T8utX9o8AZ8oHJFFO0Nj2Z11j3umag2TyRfy25%2FB4AsGWEZpJ02s69EkiYuf6tL80vjy%2FtcXTT40Avk7VlA4pkKHIucahAYDsiOT3kBMGgDNLcJVXb7hNHyaci%2Br2Dn9LyUgYbW%2F5ys6EuU4XT46I4Yw%2BHFpi0n%2B%2B77LNV2TnjF2YBtoYoETAnaBzqsRCS3h%2FNO0bJWqkvIOra%2BcOIIwb7G48PIhx1bEF29%2B%2BE9X09B9W6FaZMAKxyarc9ZrvjPzx1muhAMdD8MvF0i4%2FbhHUlQ0t%2BFiKJkCeiB3NZz0Jrdl4gBJ4LcIFDtoMBKminawSYLR8aEimyQd3t4JlJf8HMLZiib3j5BaVapdkTvGGfsjHBw63ATi2f52hNGivpFUdKTljZ%2F0%2BxHCpYjtKwpNzKp%2FnkI9vR10O4fLC4E5CmiJsI8FXDA%2FuajTuIXhMIWkaGybGi2JOF%2B6Kwo%2BY0VZqoivHs80JjKZcms8R0b9EU4ZUurQuFo6UEAal7ZfRnRNwEt2fdsipbdPF6G2fnEe6sm68FYoakgOM%2FXREuIwcS1auWT1GxsE7c%2B7LmDQMHXwYeX0zz1eOOfbgDDN47ipBjqyATnQiusAmBwPAIeKOPrXjcni9mTq%2Fb%2BIqrWqHiO1Qwnevl%2Bug%2FPoO914nnM%2BkG7Rjs1IFRhcwjIqL7Ro02LpAhQmr9aVStzxZav6s801ayIn8%2FlGLgtSw0x0PISdJsA%2FD392n7D8c1O1e3rVcr04H%2BCnFKI1oNk%2FwtHrzsvrYgAYsl8J3uwm9TR85qqGDf0q%2FI086ooFNHvqa29FWiUoxwaOZ52JmoFVLqvSO2ngOZjl3jY%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=faf3376ba4e0337e6797ef1130163e3162ae8feb820489693ce7c75b0d575704", "medium": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/v0qywgoh5hm4cbhuanu8mqdtowhr/5136ed9b2fa7c4d4abbf39fb971047c62d98ec4740a88eb55d7e26373250a937?response-content-disposition=inline%3B%20filename%3D%22ibb%20revision%205%20copy.png%22%3B%20filename%2A%3DUTF-8%27%27ibb%2520revision%25205%2520copy.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQU26RBXEK%2F20231017%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20231017T072443Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEG8aCXVzLXdlc3QtMiJGMEQCIE4H5u1%2FryaoM80suiwpnxIufDoxJ%2BVNnxiorrq08F6OAiBuynKgwd%2FtAjgndMgcGnoul5yyognWZp2AmApaqZqCBSq7BQiI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAMaDDAxMzYxOTI3NDg0OSIM3UJcxNNN%2FanJEwSsKo8FzKz9y7U%2FR6sT34GLBlxu%2FTxNXQv84L8XHL0AUwKMYzRzLmZqAMqSnhomGtzCuOExbb%2FTeARj4MP1qkfwwN%2BTpiGh9k8S39bpSu7%2BDDKi85HVbWu3loT57g8UfENUcEhn6k7aWDZ8UyKChlC9KEyaO89i7SJAsUUvLhRWAXqtJ%2FiR1Pv0zcrrI3GpsntoEyzI6zuH%2BqSTGN1pmKQBF0KyEka9x2kS5%2B4fDgzSxi5sLy%2FsIAyo01thTL1NGFm%2Be2F6S1%2BICrZhtjpsb2yrnh8shwvM6yQ5T8utX9o8AZ8oHJFFO0Nj2Z11j3umag2TyRfy25%2FB4AsGWEZpJ02s69EkiYuf6tL80vjy%2FtcXTT40Avk7VlA4pkKHIucahAYDsiOT3kBMGgDNLcJVXb7hNHyaci%2Br2Dn9LyUgYbW%2F5ys6EuU4XT46I4Yw%2BHFpi0n%2B%2B77LNV2TnjF2YBtoYoETAnaBzqsRCS3h%2FNO0bJWqkvIOra%2BcOIIwb7G48PIhx1bEF29%2B%2BE9X09B9W6FaZMAKxyarc9ZrvjPzx1muhAMdD8MvF0i4%2FbhHUlQ0t%2BFiKJkCeiB3NZz0Jrdl4gBJ4LcIFDtoMBKminawSYLR8aEimyQd3t4JlJf8HMLZiib3j5BaVapdkTvGGfsjHBw63ATi2f52hNGivpFUdKTljZ%2F0%2BxHCpYjtKwpNzKp%2FnkI9vR10O4fLC4E5CmiJsI8FXDA%2FuajTuIXhMIWkaGybGi2JOF%2B6Kwo%2BY0VZqoivHs80JjKZcms8R0b9EU4ZUurQuFo6UEAal7ZfRnRNwEt2fdsipbdPF6G2fnEe6sm68FYoakgOM%2FXREuIwcS1auWT1GxsE7c%2B7LmDQMHXwYeX0zz1eOOfbgDDN47ipBjqyATnQiusAmBwPAIeKOPrXjcni9mTq%2Fb%2BIqrWqHiO1Qwnevl%2Bug%2FPoO914nnM%2BkG7Rjs1IFRhcwjIqL7Ro02LpAhQmr9aVStzxZav6s801ayIn8%2FlGLgtSw0x0PISdJsA%2FD392n7D8c1O1e3rVcr04H%2BCnFKI1oNk%2FwtHrzsvrYgAYsl8J3uwm9TR85qqGDf0q%2FI086ooFNHvqa29FWiUoxwaOZ52JmoFVLqvSO2ngOZjl3jY%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=b565e9ad01b7c1d523a70d114e155ee432a05bc841cbcf47836d24ad1a2f89c1"}}, "h1reporter": {"disabled": false, "username": "happyhacking123", "url": "/happyhacking123", "is_me?": false, "cleared": false, "verified": false, "hackerone_triager": false, "hacker_mediation": false}}

{"veracode": [{"lastseen": "2023-06-03T20:05:06", "description": "apache-airflow is vulnerable to remote code execution. The vulnerability exists because the library does not properly clean up the example `dags` when using context manager, allowing an attacker to inject and execute malicious code on the airflow worker host.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T04:35:26", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38362"], "modified": "2022-08-17T14:19:11", "id": "VERACODE:36725", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-36725/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-20T23:47:45", "description": "Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T14:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38362"], "modified": "2022-08-17T12:20:00", "id": "PRION:CVE-2022-38362", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-38362", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-03T15:58:51", "description": "Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T14:15:00", "type": "cve", "title": "CVE-2022-38362", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38362"], "modified": "2022-08-17T12:20:00", "cpe": [], "id": "CVE-2022-38362", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38362", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "github": [{"lastseen": "2023-12-03T17:27:09", "description": "Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Disable loading of example DAGs or upgrade apache-airflow-providers-docker to 3.0.0 or above.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T00:00:21", "type": "github", "title": "Remote code execution in Apache Airflow Docker's Provider", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38362"], "modified": "2023-04-13T17:53:43", "id": "GHSA-746V-HFH2-XPHM", "href": "https://github.com/advisories/GHSA-746v-hfh2-xphm", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2022-08-24T19:15:53", "description": "Apache Airflow is an open source platform for creating, managing and monitoring workflows from the Apache Foundation. The platform is scalable and dynamically monitored, etc. A remote code execution vulnerability exists in versions of Apache Airflow prior to 3.0.0. The vulnerability stems from the fact that the code provided in the sample DAG on the Airflow work host is vulnerable to exploitation by (authenticated) remote code. An attacker could exploit this vulnerability to cause remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T00:00:00", "type": "cnvd", "title": "Apache Airflow Remote Code Execution Vulnerability (CNVD-2022-59057)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-38362"], "modified": "2022-08-24T00:00:00", "id": "CNVD-2022-59057", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-59057", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2023-04-13T18:01:16", "description": "Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Disable loading of example DAGs or upgrade apache-airflow-providers-docker to 3.0.0 or above.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T00:00:21", "type": "osv", "title": "Remote code execution in Apache Airflow Docker's Provider", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-38362"], "modified": "2023-04-13T18:00:59", "id": "OSV:GHSA-746V-HFH2-XPHM", "href": "https://osv.dev/vulnerability/GHSA-746v-hfh2-xphm", "cvss": {"score": 0.0, "vector": "NONE"}}]}