Liu Hui

**Name of the Vulnerable Software and Affected Versions** Apache Airflow Sqoop Provider versions prior to 4.0.0 **Description** The issue is related to insufficient input validation, which can be exploited by a remote attacker to execute arbitrary code. This can be achieved by passing parameters with connections, making it possible to implement RCE attacks via `sqoop import --connect`, and obtain Airflow server permissions. The attacker needs to be logged in and have authorization to create or edit connections. **Recommendations** To resolve the issue, upgrade to a version that is not affected, specifically version 4.0.0 or later. As a temporary workaround, consider restricting access to the `sqoop import --connect` command to minimize the risk of exploitation. Additionally, limit the ability to create or edit connections to authorized personnel only.