Cyber Resilience

CVE-2023-22884

CriticalRCE

Published: 21 January 2023

Published
21 January 2023
Modified
31 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7629 99.0th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22884 is a critical-severity Command Injection (CWE-77) vulnerability in Apache Airflow. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-22884 is a command injection vulnerability arising from improper neutralization of special elements in commands. It affects Apache Airflow versions prior to 2.5.1 and the Apache Airflow MySQL Provider versions prior to 4.0.0, as disclosed by the Apache Software Foundation.

An unauthenticated attacker with network access can exploit the flaw without user interaction to execute arbitrary commands on the affected system. Successful exploitation yields complete compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.

Advisories and patches referenced in the Apache mailing list threads and associated GitHub pull requests direct users to upgrade Airflow to 2.5.1 or later and the MySQL provider to 4.0.0 or later to remediate the issue.

The EPSS score has reached a peak of 0.7977 with a current value of 0.7629, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
airflow
≤ 2.5.1
apache
apache-airflow-providers-mysql
≤ 4.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References