Severity: high Description:
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. Mitigation: This can be mitigated by ensuring `[core] load_examples` is set to `False`. Credit: The Apache Airflow PMC would like to thank Kai Zhao of the TToU Security Team for reporting this issue.