Cyber Resilience

CVE-2022-46421

CriticalRCE

Published: 20 December 2022

Published
20 December 2022
Modified
16 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3122 96.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-46421 is a critical-severity Command Injection (CWE-77) vulnerability in Apache Apache-Airflow-Providers-Apache-Hive. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-46421 is a command injection vulnerability (CWE-77) affecting the Apache Airflow Hive Provider package prior to version 5.0.0. The flaw stems from improper neutralization of special elements in commands, allowing untrusted input to be executed by the underlying system. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction.

An unauthenticated attacker with network access can supply crafted input that results in arbitrary command execution on the host running the vulnerable provider. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected Airflow deployment, enabling outcomes such as data exfiltration, unauthorized workflow modification, or service disruption.

Public references, including the Apache advisory thread and the associated GitHub pull request, indicate that the issue is resolved by upgrading the Hive Provider to version 5.0.0 or later. The EPSS score has reached a peak of 0.3438 with a current value of 0.3122, indicating sustained moderate exploitation interest following disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
apache-airflow-providers-apache-hive
≤ 5.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References