CVE-2023-27604

EPSS 0.27%
Published 28.08.2023 08:15:14
Last modified 21.11.2024 07:53:14
Source security@apache.org
Teams watchlist Login
Open Login

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.

 It is recommended to upgrade to a version that is not affected.
This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Airflow Sqoop Provider Version < 4.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.498

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/apache/airflow/pull/33039

Patch

Vendor Advisory

https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-27604

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27604

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27604

EUVD