5 matches found
Apache Airflow OS Command Injection
Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI. id: CVE-2022-24288 info: name: Apache Airflow OS Command Injection...
Apache Airflow Command Injection (CVE-2022-24288)
A command injection vulnerability exists in Apache Airflow. This vulnerability is due to improper input validation for parameters for directed acyclic graphs DAGs...
Internet Bug Bounty: CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs
In Apache Airflow, prior to version 2.2.4, In DAG script of airflow , there is two command injection vulnerability RCE in the some scripts, which an attacker can execute arbitrary commands on the system. The impact is even greater when airflow is configured for unauthenticated access. These two...
acceldata-o2a (=1.0.0), acryl-datahub-airflow-plugin (>=0.9.5.1rc1 <=1.3.1.post1) +124 more potentially affected by CVE-2022-24288 via apache-airflow (>=1.8.2 <=2.2.3)
apache-airflow PYPI version =1.8.2, =0.9.5.1rc1, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.4.0, =0.1.0a1, =0.6.0, =0.1.1, =0.1.1, =0.10.2, =0.11.0 - airflow-ditto =0.0.1.2 and more Source cves: CVE-2022-24288 Source advisory: OSV:PYSEC-2022-30...
CVE-2022-24288
CVE-2022-24288 affects Apache Airflow prior to 2.2.4, where some example DAGs did not properly sanitize user-provided parameters in the web UI, enabling OS command injection. Connected documents confirm an OS command injection vulnerability in affected DAGs (e.g., example_passing_params_via_test_...