High severityNVD Advisory· Published Nov 14, 2022· Updated Apr 30, 2025
Apache Airflow <2.4.0 has an RCE in a bash example
CVE-2022-40127
Description
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | < 2.4.0 | 2.4.0 |
Affected products
3- osv-coords2 versions
< 2.4.0+ 1 more
- (no CPE)range: < 2.4.0
- (no CPE)range: < 2.4.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-6pw3-8h9w-32gcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40127ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/11/14/2ghsamailing-listWEB
- github.com/apache/airflow/commit/372e699c2d1e11f7087b5340454d0a0a6a56fbf5ghsaWEB
- github.com/apache/airflow/pull/25960ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42982.yamlghsaWEB
- lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysyghsaWEB
News mentions
0No linked articles in our index yet.