Cyber Resilience

CVE-2022-40189

CriticalRCE

Published: 22 November 2022

Published
22 November 2022
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1593 94.9th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40189 is a critical-severity OS Command Injection (CWE-78) vulnerability in Apache Airflow. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-40189 is an OS command injection vulnerability (CWE-78) affecting the Apache Airflow Pig Provider prior to version 4.0.0. It also impacts any Apache Airflow release before 2.3.0 when the Pig Provider is present, because the provider can only be upgraded to the fixed release on Airflow 2.3.0 and later. The flaw allows an attacker to supply input that is executed as an operating-system command inside the task execution context.

An unauthenticated remote attacker can exploit the issue over the network without write access to DAG files. Successful exploitation grants full control over commands run by the Pig tasks, resulting in arbitrary code execution with impacts to confidentiality, integrity, and availability.

Public advisories and the referenced Apache mailing-list threads direct operators to upgrade the Pig Provider to 4.0.0 and to ensure Airflow itself is at least version 2.3.0; the fixed provider cannot be installed on earlier Airflow releases.

The EPSS score for this CVE rose from a low baseline to a peak of 0.2429 (current value 0.1593), indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This…

more

issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
airflow
≤ 2.3.0
apache
apache-airflow-providers-apache-pig
≤ 4.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References