PT-2023-4070 · Apache · Apache Airflow

Elad Kalif

Publicado

2023-05-26

Atualizado

2024-10-10

CVE-2023-33234

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Airflow CNCF Kubernetes provider version 5.0.0

Description The issue is related to a weakness in the procedure for neutralizing special elements in output, which can allow an attacker to execute arbitrary code. This can be exploited by a user with elevated permissions (Op or Admin) to change the connection object, allowing them to change the xcom sidecar image and resources via Airflow connection.

Recommendations Upgrade to provider version 7.0.0, which has removed the vulnerability.

Correção

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-74

Identificadores relacionados

BDU:2023-04368

CVE-2023-33234

GHSA-2RX4-9F5H-9GJF

Produtos afetados

Apache Airflow

PT-2023-4070 · Apache · Apache Airflow

CVE-2023-33234

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8