CVE-2022-40127
Arbitrary Command Execution vulnerability in apache-airflow (PyPI)
What is CVE-2022-40127 About?
This vulnerability in Apache Airflow allows for arbitrary command execution. An attacker with UI access can leverage a manually provided 'run_id' parameter to execute arbitrary commands, leading to potential system compromise. Exploitation is relatively easy for an authenticated user with specific permissions.
Affected Software
Technical Details
The vulnerability exists within the Example Dags of Apache Airflow, specifically in versions prior to 2.4.0. An attacker who has UI access and the ability to trigger DAGs can exploit this by manipulating the 'run_id' parameter. When triggering a DAG, the 'run_id' parameter, if manually provided by the user, is not properly sanitized or validated. This lack of validation allows an attacker to inject arbitrary commands into this parameter, which are then executed by the underlying system when the DAG runs. This mechanism provides a direct remote code execution vector for authenticated attackers.
What is the Impact of CVE-2022-40127?
Successful exploitation may allow attackers to execute arbitrary code or commands on the underlying system, leading to full system compromise, data theft, data corruption, or denial of service.
What is the Exploitability of CVE-2022-40127?
Exploitation of this vulnerability requires an authenticated attacker with UI access to Apache Airflow and the specific permission to trigger DAGs. The attacker must manually provide a crafted 'run_id' parameter. This is a local-to-web application attack, requiring valid credentials. The complexity is low once authentication and trigger permissions are obtained, as it involves inputting a malicious string into a specific UI field. The risk factor is increased if user permissions are overly permissive, allowing many users to trigger DAGs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Mr-xn | Link | Apache Airflow < 2.4.0 DAG example_bash_operator RCE POC |
| jakabakos | Link | CVE-2022-40127 PoC and exploit |
What are the Available Fixes for CVE-2022-40127?
Available Upgrade Options
- apache-airflow
- <2.4.0 → Upgrade to 2.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42982.yaml
- http://www.openwall.com/lists/oss-security/2022/11/14/2
- https://github.com/apache/airflow/commit/372e699c2d1e11f7087b5340454d0a0a6a56fbf5
- https://github.com/apache/airflow
- https://github.com/apache/airflow/pull/25960
- http://www.openwall.com/lists/oss-security/2022/11/14/2
- https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
- https://osv.dev/vulnerability/PYSEC-2022-42982
- https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
- https://osv.dev/vulnerability/GHSA-6pw3-8h9w-32gc
What are Similar Vulnerabilities to CVE-2022-40127?
Similar Vulnerabilities: CVE-2022-26134 , CVE-2021-44228 , CVE-2020-17530 , CVE-2019-1002012 , CVE-2017-7679
