Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2022-46421

CVE-2022-46421:
Apache Airflow Hive Provider vulnerable to Command Injection

9.8

CVSS Score

Basic Information

CVE ID
CVE-2022-46421
GHSA ID
GHSA-rc58-qr9j-cpgw
EPSS Score
-
CWE
CWE-77
Published
12/20/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflow-providers-apache-hivepip< 5.0.05.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how 'hive_cli_params' were handled before being passed to Hive CLI commands. The fix in PR #28101 moved these parameters from connection configuration (user-managed) to hook parameters (code-managed), indicating the original implementation in HiveCliHook.run_cli used unsanitized user input from connections to build OS commands. This matches the CWE-77 pattern of command injection via untrusted input in command execution contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r N*utr*liz*tion o* Sp**i*l *l*m*nts us** in * *omm*n* ('*omm*n* Inj**tion') vuln*r**ility in *p**** So*tw*r* *oun**tion *p**** *ir*low *iv* Provi**r.T*is issu* *****ts *p**** *ir*low *iv* Provi**r ***or* *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom *ow '*iv*_*li_p*r*ms' w*r* **n*l** ***or* **in* p*ss** to *iv* *LI *omm*n*s. T** *ix in PR #***** mov** t**s* p*r*m*t*rs *rom *onn**tion *on*i*ur*tion (us*r-m*n****) to *ook p*r*m*t*rs (*o**-m*n****), in*i**tin* t** ori*i