[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-27604: Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerabili
From: Elad Kalif <eladkal () apache ! org>
Date: 2023-08-25 12:17:33
Message-ID: 55a24bf6-82c1-4f5a-712d-04d187a5be30 () apache ! org
[Download RAW message or body]
Severity: moderate
Affected versions:
- Apache Airflow Sqoop Provider before 4.0.0
Description:
Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that \
allows an attacker pass parameters with the connections, which makes it possible to implement \
RCE attacks via ‘sqoop import --connect', obtain airflow server permissions, etc. The \
attacker needs to be logged in and have authorization (permissions) to create/edit connections.
It is recommended to upgrade to a version that is not affected.
This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji \
Sec Team also reported it.
Credit:
happyhacking-k (finder)
Xie Jianming of Caiji Sec Team (finder)
Liu Hui of Caiji Sec Team (finder)
References:
https://github.com/apache/airflow/pull/33039
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-27604
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic