Vulnerability Details : CVE-2022-38362

Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.

Published 2022-08-16 14:15:08

Updated 2022-08-17 12:20:46

Source Apache Software Foundation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-38362

Probability of exploitation activity in the next 30 days: 0.07%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 29 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-38362

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2022-38362

http://www.openwall.com/lists/oss-security/2022/08/16/1

oss-security - CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
Third Party Advisory
https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb

CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag-Apache Mail Archives
Mailing List;Vendor Advisory

Products affected by CVE-2022-38362

Apache » Apache-airflow-providers-docker
Versions before (<) 3.0.0
cpe:2.3:a:apache:apache-airflow-providers-docker:*:*:*:*:*:*:*:*
Matching versions