CVE-2023-22886

Name of the Vulnerable Software and Affected Versions Apache Airflow JDBC Provider versions prior to 4.0.0

Description The issue is related to improper input validation in the Apache Airflow JDBC Provider, specifically in the Connection URL parameters of the Airflow JDBC Provider Connection, which had no restrictions. This made it possible to implement Remote Code Execution (RCE) attacks via different types of JDBC drivers, allowing attackers to obtain Airflow server permission.

Recommendations For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Connection URL parameters to minimize the risk of exploitation. Avoid using the Connection URL parameter in the affected Airflow JDBC Provider Connection until the issue is resolved.