Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jbTQzLWYycHYtNnY2OM4AAwAB

OS Command Injection in Apache Airflow

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).

Permalink: https://github.com/advisories/GHSA-cm43-f2pv-6v68
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jbTQzLWYycHYtNnY2OM4AAwAB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-cm43-f2pv-6v68, CVE-2022-41131
References:

Repository: https://github.com/apache/airflow
Blast Radius: 10.0

Affected Packages

pypi:apache-airflow-providers-apache-hive

Dependent packages: 8
Dependent repositories: 19
Downloads: 127,358 last month
Affected Version Ranges: < 4.1.0
Fixed in: 4.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 3.0.0, 3.1.0, 4.0.0, 4.0.1
All unaffected versions: 4.1.0, 4.1.1, 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.3.0, 6.4.0, 6.4.1, 6.4.2, 7.0.0, 7.0.1, 8.0.0