CVE-2022-38362 : Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that

Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.

Published 2022-08-16 14:15:08

Updated 2022-08-17 12:20:46

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2022-38362

Apache » Apache-airflow-providers-docker
Versions before (<) 3.0.0
cpe:2.3:a:apache:apache-airflow-providers-docker:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-38362

EPSS FAQ

0.50%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-38362

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2022-38362

http://www.openwall.com/lists/oss-security/2022/08/16/1

oss-security - CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
Third Party Advisory
https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb

CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag-Apache Mail Archives
Mailing List;Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-38362

Products affected by CVE-2022-38362

Exploit prediction scoring system (EPSS) score for CVE-2022-38362

CVSS scores for CVE-2022-38362

References for CVE-2022-38362