CVE-2022-46421
Published: 20 December 2022
Summary
CVE-2022-46421 is a critical-severity Command Injection (CWE-77) vulnerability in Apache Apache-Airflow-Providers-Apache-Hive. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-46421 is a command injection vulnerability (CWE-77) affecting the Apache Airflow Hive Provider package prior to version 5.0.0. The flaw stems from improper neutralization of special elements in commands, allowing untrusted input to be executed by the underlying system. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction.
An unauthenticated attacker with network access can supply crafted input that results in arbitrary command execution on the host running the vulnerable provider. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected Airflow deployment, enabling outcomes such as data exfiltration, unauthorized workflow modification, or service disruption.
Public references, including the Apache advisory thread and the associated GitHub pull request, indicate that the issue is resolved by upgrading the Hive Provider to version 5.0.0 or later. The EPSS score has reached a peak of 0.3438 with a current value of 0.3122, indicating sustained moderate exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7732
Vulnerability details
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.