'[oss-security] CVE-2023-39553: Apache Airflow Drill Provider Arbitrary File Read Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-39553: Apache Airflow Drill Provider Arbitrary File Read Vulnerability
From:       Elad Kalif <eladkal () apache ! org>
Date:       2023-08-11 4:57:45
Message-ID: 40a53997-ded9-402a-6c5b-2fa76e160ad6 () apache ! org
[Download RAW message or body]

Severity: moderate

Affected versions:

- Apache Airflow Drill Provider before 2.4.3

Description:

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill \
Provider.

Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in \
malicious parameters when establishing a connection with DrillHook giving an opportunity to \
read files on the Airflow server. This issue affects Apache Airflow Drill Provider: before \
2.4.3. It is recommended to upgrade to a version that is not affected.

Credit:

sw0rd1ight of Caiji Sec Team and 4ra1n of Chaitin Tech (finder)

References:

https://github.com/apache/airflow/pull/33074
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39553

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic