CVE-2022-40189

high-risk
Published 2022-11-22

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.

Do I need to act?

!
21.7% chance of exploitation in next 30 days
EPSS score — higher than 78% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Apache

References (4)

Patch https://github.com/apache/airflow/pull/27644
Mailing List https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15
Patch https://github.com/apache/airflow/pull/27644
Mailing List https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15
53
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 14/34 · Moderate
Exposure 7/34 · Low