[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-27604: Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerabili
From:       Elad Kalif <eladkal () apache ! org>
Date:       2023-08-25 12:17:33
Message-ID: 55a24bf6-82c1-4f5a-712d-04d187a5be30 () apache ! org
[Download RAW message or body]

Severity: moderate

Affected versions:

- Apache Airflow Sqoop Provider before 4.0.0

Description:

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that \
allows an attacker pass parameters with the connections, which makes it possible to implement \
RCE attacks via ‘sqoop import --connect', obtain airflow server permissions, etc. The \
attacker needs to be logged in and have authorization (permissions) to create/edit connections.

 It is recommended to upgrade to a version that is not affected.
This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji \
Sec Team also reported it.

Credit:

happyhacking-k (finder)
Xie Jianming of Caiji Sec Team (finder)
Liu Hui of Caiji Sec Team (finder)

References:

https://github.com/apache/airflow/pull/33039
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-27604


[prev in list] [next in list] [prev in thread] [next in thread]