=====================================================================

                               CERT-Renater

                   Note d'Information No. 2022/VULN436

_____________________________________________________________________

DATE                : 24/11/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airlfow Pig Provider
                                  versions prior to 4.0.0,
                         Apache Airflow versions prior to 2.3.0.

=====================================================================
https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15
_____________________________________________________________________

CVE-2022-40189: Apache Airlfow Pig Provider RCE
Severity: moderate

Description:

Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection') vulnerability in Apache Airflow Pig
Provider, Apache Airflow allows an attacker to control commands
executed in the task execution context, without write access to
DAG files. This issue affects Pig Provider versions prior to 4.0.0.
It also impacts any Apache Airflow versions prior to 2.3.0 in case
Pig Provider is installed (Pig Provider 4.0.0 can only be installed
for Airflow 2.3.0+). Note that you need to manually install the Pig
Provider version 4.0.0 in order to get rid of the vulnerability on
top of Airflow 2.3.0+ version.


Credit:

Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team
for reporting the issue.


References:

https://github.com/apache/airflow/pull/27644



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================