CVE-2023-22884 - OpenCVE

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Apache-airflow-providers-mysql Airflow

Configuration 1 [-]

OR	cpe:2.3:a:apache:airflow::::::::
	cpe:2.3:a:apache:apache-airflow-providers-mysql::::::::

References

Link	Resource
https://github.com/apache/airflow/pull/28811	Patch Third Party Advisory
https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-01-21T13:02:49.475Z

Updated: 2023-07-12T10:11:50.999Z

Reserved: 2023-01-09T19:22:17.207Z

Link: CVE-2023-22884

JSON object: View

NVD Information

Status : Modified

Published: 2023-01-21T14:15:10.280

Modified: 2023-11-07T04:07:28.950

Link: CVE-2023-22884

JSON object: View

Redhat Information

No data.

CWE

CWE-77

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-22884", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-01-09T19:22:17.207Z", "datePublished": "2023-01-21T13:02:49.475Z", "dateUpdated": "2023-07-12T10:11:50.999Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.5.1", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Apache Airflow MySQL Provider", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "4.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Son Tran from VNPT - VCI"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.<p>This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.</p>"}], "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-12T10:11:50.999Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/28811"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}