We use cookies to improve your experience on our site.
AVID-2026-R1126
Description
Apache Airlfow Pig Provider RCE (CVE-2022-40189)
Details
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
Reason for inclusion in AVID: CVE-2022-40189 is an OS command injection (RCE) in Apache Airflow Pig Provider. Airflow is a workflow orchestrator widely used to build and run AI/ML pipelines and data processing tasks. Exploitation enables remote code execution in the task execution context, affecting the software stack used to develop, train, and deploy AI systems. This constitutes a software supply-chain vulnerability in components used to run general-purpose AI systems, with clear CVE-based security impact.
References
- NVD entry
- https://github.com/apache/airflow/pull/27644
- https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airlfow Pig Provider |
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-78 | CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-11-22
- Version: 0.3.3
- AVID Entry