We use cookies to improve your experience on our site.
AVID-2026-R1130
Description
Apache Airflow Spark Provider RCE that bypass restrictions to read arbitrary files (CVE-2022-40954)
Details
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).
Reason for inclusion in AVID: CVE-2022-40954 is an OS command injection vulnerability in the Apache Airflow Spark Provider that allows reading arbitrary files in the task execution context (RCE). While not AI-specific, Airflow and the Spark Provider are commonly used to orchestrate and run ML/AI data pipelines and workloads, making this a software supply chain issue relevant to general-purpose AI systems. The vulnerability affects software components (Airflow, Spark Provider) used in AI pipelines and can impact AI workloads if exploited. The report provides clear signals: vulnerability description, affected versions, and references. Therefore, it meets AI relevance, GP AI supply chain relevance, security/vulnerability nature, and sufficiency of evidence.
References
- NVD entry
- https://github.com/apache/airflow/pull/27646
- https://lists.apache.org/thread/0tmdlnmjs5t4gsx5fy73tb6zd3jztq45
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow Spark Provider |
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-78 | CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-11-22
- Version: 0.3.3
- AVID Entry