Vulnerability Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 2.3.0 |
| Apache | Apache-Airflow-Providers-Apache-Pig | < 4.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/27644PatchThird Party Advisory
- https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15Mailing ListThird Party Advisory
- https://github.com/apache/airflow/pull/27644PatchThird Party Advisory
- https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15Mailing ListThird Party Advisory
FAQ
What is CVE-2022-40189?
CVE-2022-40189 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed ...
How severe is CVE-2022-40189?
CVE-2022-40189 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-40189?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow, Apache Apache-Airflow-Providers-Apache-Pig.