CVE-2022-40189
CRITICALApache Airflow < 2.3.0 - OS Command Injection via Pig Provider
Title source: llmDescription
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://github.com/apache/airflow/pull/27644
Mailing List, Third Party Advisory
https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15
Scores
CVSS v3
9.8
EPSS
0.1593
EPSS Percentile
94.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
apache/airflow
< 2.3.0
apache/apache-airflow-providers-apache-pig
< 4.0.0
pypi/apache-airflow
0 - 2.3.0PyPI
Published
Nov 22, 2022
Tracked Since
Feb 18, 2026