Critical severityNVD Advisory· Published Jan 21, 2023· Updated Mar 31, 2025
Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow
CVE-2023-22884
Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | < 2.5.1 | 2.5.1 |
apache-airflow-providers-mysqlPyPI | < 4.0.0 | 4.0.0 |
Affected products
5- osv-coords3 versions
< 2.5.1+ 2 more
- (no CPE)range: < 2.5.1
- (no CPE)range: < 2.5.1
- (no CPE)range: < 4.0.0
- Range: 0
Patches
Vulnerability mechanics
References
4- github.com/apache/airflow/pull/28811ghsapatchWEB
- github.com/advisories/GHSA-c732-xvv8-g94cghsaADVISORY
- lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5hghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-22884ghsaADVISORY
News mentions
0No linked articles in our index yet.