CVE-2023-22884
Published: 21 January 2023
Summary
CVE-2023-22884 is a critical-severity Command Injection (CWE-77) vulnerability in Apache Airflow. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-22884 is a command injection vulnerability arising from improper neutralization of special elements in commands. It affects Apache Airflow versions prior to 2.5.1 and the Apache Airflow MySQL Provider versions prior to 4.0.0, as disclosed by the Apache Software Foundation.
An unauthenticated attacker with network access can exploit the flaw without user interaction to execute arbitrary commands on the affected system. Successful exploitation yields complete compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.
Advisories and patches referenced in the Apache mailing list threads and associated GitHub pull requests direct users to upgrade Airflow to 2.5.1 or later and the MySQL provider to 4.0.0 or later to remediate the issue.
The EPSS score has reached a peak of 0.7977 with a current value of 0.7629, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0440
Vulnerability details
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.