Command Injection in Apache Airflow and Apache Airflow MySQL Provider

2023-01-2115:30:18

Google

osv.dev

command injection

apache airflow

mysql provider

vulnerability

apache software foundation

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.012 Low

EPSS

Percentile

85.3%

JSON

Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

CPENameOperatorVersion
apache-airflow-providers-mysqleq3.2.0rc1
apache-airfloweq2.3.3rc2
apache-airfloweq1.10.10rc4
apache-airflow-providers-mysqleq2.2.0rc2
apache-airfloweq1.10.2rc3
apache-airfloweq2.5.0rc1
apache-airfloweq1.10.7rc2
apache-airfloweq1.10.11rc2
apache-airfloweq2.2.3rc2
apache-airfloweq2.3.1rc1

Name	Operator	Version
apache-airflow-providers-mysql	eq	3.2.0rc1
apache-airflow	eq	2.3.3rc2
apache-airflow	eq	1.10.10rc4
apache-airflow-providers-mysql	eq	2.2.0rc2
apache-airflow	eq	1.10.2rc3
apache-airflow	eq	2.5.0rc1
apache-airflow	eq	1.10.7rc2
apache-airflow	eq	1.10.11rc2
apache-airflow	eq	2.2.3rc2
apache-airflow	eq	2.3.1rc1