An irrelevant code vulnerability exists within the example DAGs in Apache Airflow 2.3.4 and earlier that, when exploited, allows a remote attacker to execute arbitrary commands. Proof-of-concept (PoC) code is publicly available.
 

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support.

For a complete description of the vulnerabilities and affected systems go to:

• Apache Airflow CVE-2022-40127 
• Apache Pinot CVE-2022-26112

IT Security

Read more about IT Security service offerings.