CVE-2022-40127: Apache Airflow RCE vulnerability

The Apache Software Foundation on Monday addressed two [1,2] vulnerabilities in Apache Airflow that a remote attacker to execute arbitrary commands and sensitive values in the rendered template.

Apache Airflow is a platform to programmatically author, schedule, and monitor workflows. Use Airflow to author workflows as directed acyclic graphs (DAGs) of tasks. The Airflow scheduler executes your tasks on an array of workers while following the specified dependencies. Rich command line utilities make performing complex surgeries on DAGs a snap. The rich user interface makes it easy to visualize pipelines running in production, monitor progress, and troubleshoot issues when needed.

Tracked as CVE-2022-40127, the flaw affects Apache Airflow versions prior to 2.4.0. Apache Airflow could allow a remote attacker to execute arbitrary commands via the manually provided run_id parameter, which exists in Example Dags of Apache Airflow. By sending a specially crafted request, an attacker could exploit the CVE-2022-40127 flaw to execute arbitrary commands. L3yx of the Syclover Security Team has been credited with reporting the vulnerability. For mitigation, you do not enable example dags on systems that should not allow UI users to execute an arbitrary command.

The second flaw tracked as CVE-2022-27949, affects all versions of the Apache Airflow software prior to 2.3. “A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed),”  Apache Airflow noted.

It’s recommended to upgrade Apache Airflow to the latest version (2.4) to mitigate the risk associated with the flaw.