admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-12 02:05:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#8012

Browse Source 
Auto-merge PR#8012
This commit is contained in:
CVE Team 2022-11-14 04:35:20 -05:00 committed by GitHub
commit 035f22f120
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 148 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
2022/27xxx/CVE-2022-27949.json
View File

@ -1,18 +1,78 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-27949",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Apache Airflow prior to 2.3.1 may include sensitive values in rendered template"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Airflow",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "2.3.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "BUGTRAQ",
"url": "https://github.com/apache/airflow/pull/22754"
},
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}

89
2022/40xxx/CVE-2022-40127.json
View File

@ -1,18 +1,91 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-40127",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Apache Airflow <2.4.0 has an RCE in a bash example"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Airflow",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "Apache Airflow",
"version_value": "2.4.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Airflow PMC would like to thank L3yx of Syclover Security Team."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0."
}
]
}
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "BUGTRAQ",
"url": "https://github.com/apache/airflow/pull/25960"
},
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Do not enable example dags on systems that should not allow UI user to execute an arbitrary command."
}
]
}