logo

Database

Server side template injection In apache-airflow-providers-docker

Description

Remote code execution in Apache Airflow Docker's Provider Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Disable loading of example DAGs or upgrade apache-airflow-providers-docker to 3.0.0 or above.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-383622. NVD-2022-383623. OSV-2022-383624. GCVE-2022-38362

References

1. https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb2. http://www.openwall.com/lists/oss-security/2022/08/16/1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.