CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

airflow-2.3.3/airflow/example_dags/example_bash_operator.py has a command injection vulnerability. I can control the run_id in the following code(example_bash_operator.py),So I can inject custom commands. ``` also_run_this = BashOperator( task_id='also_run_this', bash_command='echo "run_id={{ run_id }} | dag_run={{ dag_run }}"', ) ``` Enter the DAGs menu and start example_bash_operator task, select “Trigger DAG w/ config”.Set the run_id to " `touch /tmp/success` " and trigger. {F2036322} ## Impact Execute any OS command