PT-2023-18751 · Apache · Apache Airflow Odbc Provider
Happyhacking
+1
·
Published
2023-06-29
·
Updated
2024-10-07
·
CVE-2023-22886
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Airflow JDBC Provider versions prior to 4.0.0
Description
The issue is related to improper input validation in the Apache Airflow JDBC Provider, specifically in the Connection URL parameters of the Airflow JDBC Provider Connection, which had no restrictions. This made it possible to implement Remote Code Execution (RCE) attacks via different types of JDBC drivers, allowing attackers to obtain Airflow server permission.
Recommendations
For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Connection URL parameters to minimize the risk of exploitation. Avoid using the
Connection URL parameter in the affected Airflow JDBC Provider Connection until the issue is resolved.Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow Odbc Provider