oss-sec mailing list archives

CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC

From: Elad Kalif <eladkal () apache org>
Date: Thu, 17 Aug 2023 13:07:16 +0000

Severity: moderate

Affected versions:

- Apache Airflow Spark Provider before 4.1.3

Description:

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in 
malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server.
It is recommended to upgrade to a version that is not affected.

Credit:

sw0rd1ight (finder)

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-40272

Current thread:

CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC Elad Kalif (Aug 17)
- Re: CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC Seth Arnold (Aug 17)