CVE-2022-40189
Published: 22 November 2022
Summary
CVE-2022-40189 is a critical-severity OS Command Injection (CWE-78) vulnerability in Apache Airflow. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-40189 is an OS command injection vulnerability (CWE-78) affecting the Apache Airflow Pig Provider prior to version 4.0.0. It also impacts any Apache Airflow release before 2.3.0 when the Pig Provider is present, because the provider can only be upgraded to the fixed release on Airflow 2.3.0 and later. The flaw allows an attacker to supply input that is executed as an operating-system command inside the task execution context.
An unauthenticated remote attacker can exploit the issue over the network without write access to DAG files. Successful exploitation grants full control over commands run by the Pig tasks, resulting in arbitrary code execution with impacts to confidentiality, integrity, and availability.
Public advisories and the referenced Apache mailing-list threads direct operators to upgrade the Pig Provider to 4.0.0 and to ensure Airflow itself is at least version 2.3.0; the fixed provider cannot be installed on earlier Airflow releases.
The EPSS score for this CVE rose from a low baseline to a peak of 0.2429 (current value 0.1593), indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7427
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This…
more
issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.