You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@airflow.apache.org by Jedidiah Cunningham <je...@apache.org> on 2022/02/24 18:01:16 UTC

CVE-2022-24288: Apache Airflow: RCE in example DAGs

Severity: high

Description:

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

Mitigation:

This can be mitigated by ensuring `[core] load_examples` is set to `False`.

Credit:

The Apache Airflow PMC would like to thank Kai Zhao of the TToU Security Team for reporting this issue.