[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE
From: Elad Kalif <eladkal () apache ! org>
Date: 2023-08-25 17:24:51
Message-ID: 8e892059-fa27-7086-13eb-6779d073dc58 () apache ! org
[Download RAW message or body]
Severity: moderate
Affected versions:
- Apache Airflow Spark Provider before 4.1.3
Description:
Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere \
vulnerability in Apache Software Foundation Apache Airflow Spark Provider.
When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is \
authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by \
pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the \
documentation explicitly, so it is possible that administrators provided authorizations to \
configure Spark hooks without taking this into account. We recommend administrators to review \
their configurations to make sure the authorization to configure Spark hooks is only provided \
to fully trusted users.
To view the warning in the docs please visit \
https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html
Credit:
happyhacking-k (finder)
References:
https://github.com/apache/airflow/pull/33233
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-40195
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic