CVE-2022-38362

Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
apacheCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
apacheapache-airflow-providers-docker
𝑥
< 3.0.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
apacheairflow
𝑥
< 3.0.0
CNA
References
http://www.openwall.com/lists/oss-security/2022/08/16/1
https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb
http://www.openwall.com/lists/oss-security/2022/08/16/1
https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb