oss-sec mailing list archives

CVE-2023-37415: Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user

From: Elad Kalif <eladkal () apache org>
Date: Wed, 12 Jul 2023 18:24:33 +0000

Severity: moderate

Affected versions:

- Apache Airflow Apache Hive Provider before 6.1.2

Description:

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.

Patching on top of CVE-2023-35797
Before 6.1.2 the proxy_user option can also inject semicolon.

This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.

It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.

Credit:

Son Tran from VNPT - VCI (reporter)

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-37415

Current thread:

CVE-2023-37415: Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user Elad Kalif (Jul 12)