CVE-2023-22884

CRITICAL LAB

Apache Airflow < 2.5.1 - Command Injection

Title source: rule

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

Exploits (1)

nomisec WORKING POC 9 stars

by jakabakos · poc

https://github.com/jakabakos/CVE-2023-22884-Airflow-SQLi

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/apache/airflow/pull/28811

[Mailing List, Third Party Advisory] https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h

Scores

CVSS v3 9.8

EPSS 0.7629

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull apache/airflow:2.5.0

https://github.com/jakabakos/CVE-2023-22884-Airflow-SQLi

View in Library

Details

CWE

CWE-77

Status published

Products (4)

apache/airflow < 2.5.1

apache/apache-airflow-providers-mysql < 4.0.0

pypi/apache-airflow 0 - 2.5.1PyPI

pypi/apache-airflow-providers-mysql 0 - 4.0.0PyPI

Published Jan 21, 2023

Tracked Since Feb 18, 2026