oss-sec mailing list archives
CVE-2022-24288: Apache Airflow: RCE in example DAGs
From: Jedidiah Cunningham <jedcunningham () apache org>
Date: Thu, 24 Feb 2022 18:01:16 +0000
Severity: high Description: In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. Mitigation: This can be mitigated by ensuring `[core] load_examples` is set to `False`. Credit: The Apache Airflow PMC would like to thank Kai Zhao of the TToU Security Team for reporting this issue.
Current thread:
- CVE-2022-24288: Apache Airflow: RCE in example DAGs Jedidiah Cunningham (Feb 24)