Lucene search

GitHub Advisory DatabaseGHSA-C732-XVV8-G94C

HistoryJan 21, 2023 - 3:30 p.m.

Command Injection in Apache Airflow and Apache Airflow MySQL Provider

2023-01-2115:30:18

CWE-77

GitHub Advisory Database

github.com

apache airflow

command injection

apache software foundation

mysql provider

vulnerability

security issue

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.012 Low

EPSS

Percentile

85.3%

JSON

Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

Affected configurations

Vulners

Node

apacheapache-airflow-providers-mysqlRange<4.0.0

apacheairflowRange<2.5.1

CPENameOperatorVersion
apache-airflow-providers-mysqllt4.0.0
apache-airflowlt2.5.1

CPE	Name	Operator	Version
	apache-airflow-providers-mysql	lt	4.0.0
	apache-airflow	lt	2.5.1

References

github.com/advisories/GHSA-c732-xvv8-g94c

github.com/apache/airflow/pull/28811

lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h

nvd.nist.gov/vuln/detail/CVE-2023-22884

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.012 Low

EPSS

Percentile

85.3%

JSON

Related for GHSA-C732-XVV8-G94C