{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202742?format=json","vulnerability_id":"VCID-7xea-ge93-yuee","summary":"","aliases":[{"alias":"CVE-2022-38649"},{"alias":"GHSA-7wqf-h36w-47mc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27882?format=json","purl":"pkg:pypi/apache-airflow@2.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1963-1kyn-2ban"},{"vulnerability":"VCID-1azm-hsvr-f3e8"},{"vulnerability":"VCID-1ptn-xvsy-d3hu"},{"vulnerability":"VCID-2q7x-bua5-37h7"},{"vulnerability":"VCID-4693-xwwu-7uem"},{"vulnerability":"VCID-4btd-59ga-1yd4"},{"vulnerability":"VCID-4u8d-ezsr-sqcz"},{"vulnerability":"VCID-5ph5-s3qc-guf4"},{"vulnerability":"VCID-5ufe-1rrj-rkgp"},{"vulnerability":"VCID-7z8j-8f4d-53dm"},{"vulnerability":"VCID-82p8-yujf-hkdd"},{"vulnerability":"VCID-8m3p-yzr8-yyhj"},{"vulnerability":"VCID-8npr-rvfd-jkfj"},{"vulnerability":"VCID-8ykk-1kak-6bfd"},{"vulnerability":"VCID-arbk-dryb-qkda"},{"vulnerability":"VCID-ctd9-hxfn-8fcs"},{"vulnerability":"VCID-d3kc-fn21-xqar"},{"vulnerability":"VCID-dk1y-938p-k3bv"},{"vulnerability":"VCID-e19b-adrm-x7fu"},{"vulnerability":"VCID-fctg-457f-4uae"},{"vulnerability":"VCID-fnsx-gtgn-27dr"},{"vulnerability":"VCID-fut9-4dat-qbfy"},{"vulnerability":"VCID-gg94-fdbv-y7g1"},{"vulnerability":"VCID-hgq2-kuex-y3a3"},{"vulnerability":"VCID-hpf3-3z3m-6ydt"},{"vulnerability":"VCID-j6uh-kx6m-sydp"},{"vulnerability":"VCID-k7ea-m9cw-w3fz"},{"vulnerability":"VCID-kb4a-mm13-63bj"},{"vulnerability":"VCID-kgfb-yphg-n3ec"},{"vulnerability":"VCID-nfbc-tutd-37bw"},{"vulnerability":"VCID-p42d-ta7v-7yhn"},{"vulnerability":"VCID-pb3b-22wk-pbh5"},{"vulnerability":"VCID-pmtw-nwnc-nyfw"},{"vulnerability":"VCID-pqgj-ry81-6ua3"},{"vulnerability":"VCID-qxnw-7urw-fud2"},{"vulnerability":"VCID-rysu-xhvt-yqda"},{"vulnerability":"VCID-s49h-br5r-5yh8"},{"vulnerability":"VCID-swav-nrrn-wbcs"},{"vulnerability":"VCID-tpjn-4kru-vucv"},{"vulnerability":"VCID-vj7z-pmk3-cydg"},{"vulnerability":"VCID-vras-f42j-xqfg"},{"vulnerability":"VCID-vy44-rbar-w3fn"},{"vulnerability":"VCID-w8ff-8479-rbfq"},{"vulnerability":"VCID-x56a-2xkf-mfd3"},{"vulnerability":"VCID-xwza-guvs-83a9"},{"vulnerability":"VCID-yrx8-dtav-83av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.0"}],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38649","reference_id":"","reference_type":"","scores":[{"value":"0.08744","scoring_system":"epss","scoring_elements":"0.92633","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38649"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/1d4fd5c6eacab0b88f8660f9d780174434393f1a","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/1d4fd5c6eacab0b88f8660f9d780174434393f1a"},{"reference_url":"https://github.com/apache/airflow/pull/27641","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-29T04:35:31Z/"}],"url":"https://github.com/apache/airflow/pull/27641"},{"reference_url":"https://lists.apache.org/thread/033o1gbc4ly6dpd2xf1o201v56fbl4dz","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-29T04:35:31Z/"}],"url":"https://lists.apache.org/thread/033o1gbc4ly6dpd2xf1o201v56fbl4dz"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38649","reference_id":"CVE-2022-38649","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38649"},{"reference_url":"https://github.com/advisories/GHSA-7wqf-h36w-47mc","reference_id":"GHSA-7wqf-h36w-47mc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wqf-h36w-47mc"}],"weaknesses":[{"cwe_id":78,"name":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","description":"The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7xea-ge93-yuee"}