CVE-2022-38362 – apache-airflow-providers-docker

Package

Manager: pip
Name: apache-airflow-providers-docker
Vulnerable Version: >=0 <3.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00796 pctl0.73102

Details

Remote code execution in Apache Airflow Docker's Provider Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Disable loading of example DAGs or upgrade apache-airflow-providers-docker to 3.0.0 or above.

Metadata

Created: 2022-08-17T00:00:21Z
Modified: 2023-04-13T17:53:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-746v-hfh2-xphm/GHSA-746v-hfh2-xphm.json
CWE IDs: []
Alternative ID: GHSA-746v-hfh2-xphm
Finding: F422
Auto approve: 1