Rewterz Threat Advisory – Multiple Apache Airflow Hive Provider and Apache Airflow Vulnerability

Severity

High

Analysis Summary

CVE-2022-38649 CVSS:9.8
Apache Airflow Pinot Provider and Apache Airflow could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw in PinotAdminHook. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2022-40189 CVSS:9.8
Apache Airflow Pig Provider and Apache Airflow could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the task execution context. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2022-40954 CVSS:9.8
Apache Airflow Spark Provider and Apache Airflow could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the task execution context. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2022-41131 CVSS:9.8
Apache Airflow Hive Provider and Apache Airflow could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the task execution context. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

Impact

Command Execution

Indicators Of Compromise

CVE

• CVE-2022-38649
• CVE-2022-40189
• CVE-2022-40954
• CVE-2022-41131

Affected Vendors

Apache

Affected Products

• Apache Airflow 2.2.5
• Apache Airflow Pinot Provider 3.0.0

Remediation

Refer to Apache Airflow GIT Repository for patch, upgrade or suggested workaround information.

Apache Airflow GIT Repository