We use cookies to improve your experience on our site.
AVID-2026-R1168
Description
Apache Airflow Hive Provider: Hive Provider RCE vulnerability with hive_cli_params (CVE-2022-46421)
Details
Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.
Reason for inclusion in AVID: CVE-2022-46421 describes a remote code execution (command injection) vulnerability in the Apache Airflow Hive Provider, exploitable before version 5.0.0. Apache Airflow and its providers are widely used to orchestrate AI/ML pipelines (data preparation, feature extraction, model training/validation, deployment workflows). As a vulnerability in a software component commonly used in AI workflows, this constitutes a software supply-chain issue impacting general-purpose AI systems. The vulnerability is security-related (RCE) and the report provides explicit CVE details and references.
References
- NVD entry
- https://github.com/apache/airflow/pull/28101
- https://lists.apache.org/thread/09twdoyoybldlfj5gvk0qswtofh0rmp4
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow Hive Provider |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-77 | CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-12-20
- Version: 0.3.3
- AVID Entry