Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 25 Aug 2023 12:17:33 +0000
From: Elad Kalif <>
Subject: CVE-2023-27604: Apache Airflow Sqoop Provider: Airflow Sqoop
 Provider RCE Vulnerability 

Severity: moderate

Affected versions:

- Apache Airflow Sqoop Provider before 4.0.0


Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.

 It is recommended to upgrade to a version that is not affected.
This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.


happyhacking-k (finder)
Xie Jianming of Caiji Sec Team (finder)
Liu Hui of Caiji Sec Team (finder)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.