CVE-2022-40127

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.4.0

Description A vulnerability in Example Dags of Apache Airflow is related to incorrect management of code generation. This issue allows an attacker with UI access who can trigger DAGs to execute arbitrary commands via the manually provided run id parameter. The exploitation of this vulnerability may enable a remote attacker to execute arbitrary commands.

Recommendations For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the run id parameter in the affected DAGs to minimize the risk of exploitation. Additionally, limiting UI access to trusted users can help reduce the attack surface.