CVE-2022-38362: Remote code execution in Apache Airflow Docker's Provider

August 17, 2022 (updated April 13, 2023)

Apache Airflow Docker’s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.

References

www.openwall.com/lists/oss-security/2022/08/16/1
github.com/advisories/GHSA-746v-hfh2-xphm
lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb
nvd.nist.gov/vuln/detail/CVE-2022-38362

Code Behaviors & Features

Detect and mitigate CVE-2022-38362 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →