CVE-2022-24288

HIGH EXPLOITED NUCLEI

Apache Airflow <2.2.4 - Command Injection

Title source: llm

Description

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

Nuclei Templates (1)

Apache Airflow OS Command Injection

HIGHVERIFIEDby xeldax

Shodan:

title:"Airflow - DAGs" || http.html:"Apache Airflow" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"

FOFA: title="sign in - airflow" || apache airflow || title="airflow - dags" || http.html:"apache airflow"

References (1)

[Mailing List, Third Party Advisory] https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t

Scores

CVSS v3 8.8

EPSS 0.8908

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-12-08

CWE

CWE-78

Status published

Products (2)

apache/airflow < 2.2.4

pypi/apache-airflow 0 - 2.2.4PyPI

Published Feb 25, 2022

Tracked Since Feb 18, 2026