Vulnerability Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 2.3.0 |
| Apache | Apache-Airflow-Providers-Apache-Pinot | < 4.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/27641PatchThird Party Advisory
- https://lists.apache.org/thread/033o1gbc4ly6dpd2xf1o201v56fbl4dzIssue TrackingMailing ListVendor Advisory
- https://github.com/apache/airflow/pull/27641PatchThird Party Advisory
- https://lists.apache.org/thread/033o1gbc4ly6dpd2xf1o201v56fbl4dzIssue TrackingMailing ListVendor Advisory
FAQ
What is CVE-2022-38649?
CVE-2022-38649 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands execute...
How severe is CVE-2022-38649?
CVE-2022-38649 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-38649?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow, Apache Apache-Airflow-Providers-Apache-Pinot.