CVE-2022-38362
Remote code execution in Apache Airflow Docker's Provider
8.8
HIGH
CVSS 3.1
EPSS 0.71%
Description
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Disable loading of example DAGs or upgrade apache-airflow-providers-docker to 3.0.0 or above.
How to fix CVE-2022-38362
To remediate CVE-2022-38362, upgrade the affected package to a fixed version below.
- —upgrade to 3.0.0 or later
Is CVE-2022-38362 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |