Vulnerabilites related to apache - apache-airflow-providers-docker
Vulnerability from fkie_nvd
Published
2022-08-16 14:15
Modified
2024-11-21 07:16
Severity ?
Summary
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/08/16/1 | Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/08/16/1 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | apache-airflow-providers-docker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:apache-airflow-providers-docker:*:*:*:*:*:*:*:*",
"matchCriteriaId": "036A71B6-A31D-428C-9814-9CE455BFB518",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Airflow Docker\u0027s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host."
},
{
"lang": "es",
"value": "El Proveedor de Apache Airflow Docker versiones anteriores a 3.0.0, inclu\u00eda un ejemplo de DAG que era vulnerable a una explotaci\u00f3n remota (autenticada) de c\u00f3digo en el host del trabajador de Airflow."
}
],
"id": "CVE-2022-38362",
"lastModified": "2024-11-21T07:16:19.723",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-16T14:15:08.310",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/16/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/16/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-38362 (GCVE-0-2022-38362)
Vulnerability from cvelistv5
Published
2022-08-16 14:10
Modified
2024-08-03 10:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote Code Execution
Summary
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Airflow |
Version: Apache Airflow Docker Provider < 3.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:54:03.738Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb"
},
{
"name": "[oss-security] 20220816 CVE-2022-38362: Apache Airflow Docker Provider \u003c3.0 RCE vulnerability in example dag",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/16/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.0.0",
"status": "affected",
"version": "Apache Airflow Docker Provider",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Kai Zhao of 3H Secruity Team for reporting this"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Airflow Docker\u0027s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T20:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb"
},
{
"name": "[oss-security] 20220816 CVE-2022-38362: Apache Airflow Docker Provider \u003c3.0 RCE vulnerability in example dag",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/16/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Docker Provider \u003c3.0 RCE vulnerability in example dag",
"workarounds": [
{
"lang": "en",
"value": "Disable loading of example DAGs or upgrade the apache-airflow-providers-docker to 3.0.0 or above"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-38362",
"STATE": "PUBLIC",
"TITLE": "Docker Provider \u003c3.0 RCE vulnerability in example dag"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Airflow",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Airflow Docker Provider",
"version_value": "3.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Kai Zhao of 3H Secruity Team for reporting this"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Airflow Docker\u0027s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb"
},
{
"name": "[oss-security] 20220816 CVE-2022-38362: Apache Airflow Docker Provider \u003c3.0 RCE vulnerability in example dag",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/08/16/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Disable loading of example DAGs or upgrade the apache-airflow-providers-docker to 3.0.0 or above"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-38362",
"datePublished": "2022-08-16T14:10:09",
"dateReserved": "2022-08-15T00:00:00",
"dateUpdated": "2024-08-03T10:54:03.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}