CVE-2022-38649
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.5%
Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ) vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
Affected configurations
CNA Affected
[
{
"vendor": "Apache Software Foundation",
"product": "Apache Airflow Pinot Provider",
"versions": [
{
"version": "unspecified",
"lessThan": "4.0.0",
"status": "affected",
"versionType": "custom"
}
]
},
{
"vendor": "Apache Software Foundation",
"product": "Apache Airflow",
"versions": [
{
"version": "unspecified",
"lessThan": "2.3.0",
"status": "affected",
"versionType": "custom"
}
]
}
]References
Social References
More
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.5%