Date: Fri, 25 Aug 2023 12:17:33 +0000 From: Elad Kalif <eladkal@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2023-27604: Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerability Severity: moderate Affected versions: - Apache Airflow Sqoop Provider before 4.0.0 Description: Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections. It is recommended to upgrade to a version that is not affected. This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it. Credit: happyhacking-k (finder) Xie Jianming of Caiji Sec Team (finder) Liu Hui of Caiji Sec Team (finder) References: https://github.com/apache/airflow/pull/33039 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-27604
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.