CVE-2023-22884
Command Injection vulnerability in apache-airflow (PyPI)
What is CVE-2023-22884 About?
This Command Injection vulnerability affects Apache Airflow and its MySQL Provider due to improper neutralization of special elements used in a command. Attackers can inject arbitrary commands for execution. Exploitation requires sending specially crafted input to vulnerable versions of the software.
Affected Software
- apache-airflow
- <2.5.1
- apache-airflow-providers-mysql
- <4.0.0
Technical Details
The vulnerability is an Improper Neutralization of Special Elements used in a Command, commonly known as Command Injection. It affects Apache Airflow (before 2.5.1) and Apache Airflow MySQL Provider (before 4.0.0). The underlying mechanism involves the application constructing system commands or database queries using unsanitized user-supplied input. An attacker can embed command separators or special characters within their input, causing the application to execute unintended commands on the underlying operating system or database, gaining unauthorized control.
What is the Impact of CVE-2023-22884?
Successful exploitation may allow attackers to execute arbitrary commands on the underlying operating system, compromise data integrity, gain unauthorized access to system resources, or completely take over the affected server.
What is the Exploitability of CVE-2023-22884?
Exploitation is of medium complexity, requiring an understanding of how the Airflow components construct and execute commands. It likely requires authentication to submit the malicious input, and thus, potentially user-level privileges would be necessary. This is a remote vulnerability, as the attacker sends crafted input over the network. The principal risk factor is the failure to properly sanitize or escape user-controlled data before it is incorporated into system commands or shell scripts, making it vulnerable to malicious injection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| jakabakos | Link | CVE-2023-22884 PoC |
What are the Available Fixes for CVE-2023-22884?
Available Upgrade Options
- apache-airflow
- <2.5.1 → Upgrade to 2.5.1
- apache-airflow-providers-mysql
- <4.0.0 → Upgrade to 4.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-c732-xvv8-g94c
- https://github.com/apache/airflow/pull/28811
- https://github.com/apache/airflow
- https://github.com/apache/airflow/pull/28811
- https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h
- https://nvd.nist.gov/vuln/detail/CVE-2023-22884
- https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h
What are Similar Vulnerabilities to CVE-2023-22884?
Similar Vulnerabilities: CVE-2023-46604 , CVE-2023-38031 , CVE-2023-37920 , CVE-2023-35919 , CVE-2023-34533
