➠ Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Vulnerability summary: In DAG script of airflow 2.3.3, there is a command injection vulnerability (RCE) in the script (example_docker_copy_data.py of docker provider), which can obtain the permission of the operating system. source path: airflow-2.3.3/airflow/providers/docker/example_dags/example_docker_copy_data.py Vulnerability details: (1) Vulnerability principle: 1. It can be seen from the source code of example_docker_copy_data.py script that there is the function of executing bash command, The parameter ‘source_location’ in the template expression {{params.source_location}} is externally controllable and rendered through the jiaja2 template: {F1869746} Further analysis “from airflow.operators.bash import BashOperator” code, we can see bash_command parameter value will be executed as a bash script; {F1869748} (2)Vulnerability exploit: 1. Enter the DAGs menu and start docker_sample_copy_data task, select “Trigger DAG w/ config”. http://192.168.3.17:8080/trigger?dag_id=docker_sample_copy_data {F1869749} To construct payload, we can separate commands with ‘;’, so as to inject any operating system commands to be executed(RCE). {F1869750} PAYLOAD:{"source_location":";touch /tmp/thisistest;"}, Then click trigger to execute the task. {F1869755} The final command is as follows: locate_file_cmd = “”” sleep 10 find......
Zur Startseite
➤ Ähnliche Beiträge für 'Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag'
Docker Unleashed: Mastering Commands, Basics, Learning Resources, and Career Prospects
vom 3263.02 Punkte
TL;DR (Too Long; Didn't Read) summary for the Docker blog:
Docker Demystified: A Comprehensive Guide to Docker Commands, Basics, Resources, Learning Curve, Career Prospects, and Recommended Learning Resources. Learn about Docker commands, understan
CI Pipelines for dockerized PHP Apps with Github & Gitlab [Tutorial Part 7]
vom 3161.8 Punkte
How to setup CI (Continuous Integration) pipelines for dockerized PHP applications with Github Actions and Gitlab Pipelines
This article appeared first on https://www.pascallandau.com/ at CI Pipelines for dockerized PHP Apps with Github & Gitlab [Tutorial Part 7]
In the seventh part of this tutorial series on develop
Docker Tutorial
vom 2587.71 Punkte
✨ Docker Tutorial Chapters
Small Tips: Starting with ⚡ means that it is a command that you can run in your terminal.
💖 Introduction
Why should I use Docker 🐳 ?
Then what is Docker? 🐳
So we use docker for :
How does Docker wor
Working with Managed Workflows for Apache Airflow (MWAA) and Amazon Redshift
vom 2098.95 Punkte
I was recently looking at some Stack Overflow questions from the AWS Collective and saw a number of folk having questions about the integration between Amazon Redshift and Managed Workflows for Apache Airflow (MWAA). I thought I would put together a quick po
A primer on GCP Compute Instance VMs for dockerized Apps [Tutorial Part 8]
vom 1995.85 Punkte
Getting started with the Google Cloud Platform (GCP) to run Virtual Machines (VMs) and prepare them to run dockerized applications.
This article appeared first on https://www.pascallandau.com/ at A primer on GCP Compute Instance VMs for dockerized A
The April 2022 Security Update Review
vom 1788.39 Punkte
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for April 2022For April, Ad
The August 2022 Security Update Review
vom 1600.62 Punkte
It’s the second Tuesday of the month, and the last second Tuesday before Black Hat and DEFCON, which means Microsoft and Adobe have released their latest security fixes. Take a break from packing (if you’re headed to hacker summer camp) or your nor
Year 2022 Streaming Wrap-Up
vom 1424.11 Punkte
Welcome to a Year 2022 wrap-up by Timothy Spann.
Best of 2022
I am responsible for spreading the good word of Apache Pulsar. I accomplish this by doing talks, meetups, articles, podcasts, videos, demos, repositories, newsletters, and other content.
NYC Area Apache Pulsar meetup has grown to over 648.https://www.meetup.com/new-york-city-apache-pulsar-m
Airflow Development with Docker
vom 1380.24 Punkte
Airflow tooling and code structure
The airflow should be easy to work with and develop.
The new astro-cli tool from astronomers is intended to help users work with their cloud and it doesn't cover all the development workflows.
It does not play well with d
My Favorite Courses to Learn Docker and Containers in Depth
vom 1271.81 Punkte
Disclosure: This post includes affiliate links; I may receive compensation if you purchase products or services from the different links provided in this article.
Hello devs, if you want to learn Docker and containers and looking for the best Docker Courses for DevOps and developers point of view, then you have come to the right place. Earlier, I sh
Global internet health check and network outage report
vom 1243.09 Punkte
The reliability of services delivered by ISPs, cloud providers and conferencing services (such as unified communications-as-a-service) is critical for enterprise organizations. ThousandEyes monitors how providers are handling any performance challenges
The March 2022 Security Update Review
vom 1240.73 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for