CVE-2022-40954

CVSS V2 None CVSS V3 None
Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).
Overview
  • CVE ID
  • CVE-2022-40954
  • Assigner
  • security@apache.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-11-22T10:15:16
  • Last Modified Date
  • 2022-11-28T17:51:04
Weakness Enumerations
CWE URL
CWE-78 http://cwe.mitre.org/data/definitions/78.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* 1 OR 2.3.0
cpe:2.3:a:apache:apache-airflow-providers-apache-spark:*:*:*:*:*:*:*:* 1 OR 4.0.0
References
Reference URL Reference Tags
https://lists.apache.org/thread/0tmdlnmjs5t4gsx5fy73tb6zd3jztq45
https://github.com/apache/airflow/pull/27646
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-40954
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40954
History
Created Old Value New Value Data Type Notes
2022-11-22 11:00:09 Added to TrackCVE
2022-12-07 17:58:49 2022-11-22T10:15Z 2022-11-22T10:15:16 CVE Published Date updated
2022-12-07 17:58:49 2022-11-28T17:51:04 CVE Modified Date updated
2022-12-07 17:58:49 Analyzed Vulnerability Status updated
2022-12-07 17:58:50 CWE-78 Weakness Enumeration new
2022-12-07 17:58:51 CPE Information updated