We use cookies to improve your experience on our site.
AVID-2026-R1119
Description
Docker Provider <3.0 RCE vulnerability in example dag (CVE-2022-38362)
Details
Apache Airflow Docker’s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
Reason for inclusion in AVID: CVE-2022-38362 describes an authenticated remote code execution in Apache Airflow’s Docker Provider due to a vulnerable example DAG shipped prior to 3.0.0. Airflow is a widely used orchestration tool in ML/AI pipelines and related software stacks. This constitutes a software supply-chain issue affecting components commonly used to build/run general-purpose AI systems (orchestration, deployment, and workflow tooling). The vulnerability is security-focused (RCE), and the provided description with references offers sufficient signal for AVID classification.
References
- NVD entry
- https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb
- http://www.openwall.com/lists/oss-security/2022/08/16/1
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-08-16
- Version: 0.3.3
- AVID Entry