CVE-2022-40127
Published: 14 November 2022
Summary
CVE-2022-40127 is a high-severity Code Injection (CWE-94) vulnerability in Apache Airflow. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in the Example Dags component of Apache Airflow permits command injection through the manually supplied run_id parameter when DAGs are triggered. The flaw, tracked as CWE-94, affects all versions prior to 2.4.0 and carries a CVSS 3.1 base score of 8.8.
An authenticated user who already possesses UI access and the ability to trigger DAGs can supply a crafted run_id value to execute arbitrary commands on the underlying system, achieving full confidentiality, integrity, and availability impact within the Airflow deployment.
Advisories and the associated pull request 25960 indicate that the issue is resolved by upgrading to Apache Airflow 2.4.0 or later.
The EPSS score has remained consistently high, reaching a peak of 0.9385 with a current value of 0.9331.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0017
Vulnerability details
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.