CVE-2023-28710

Name of the Vulnerable Software and Affected Versions Apache Airflow Spark Provider versions prior to 4.0.1

Description The issue is related to improper input validation in the Apache Airflow Spark Provider. This allows the host and schema of JDBC Hook to contain / and ?, which can be used to denote the end of the field. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.

Recommendations For versions prior to 4.0.1, update to version 4.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the JDBC Hook to minimize the risk of exploitation. Avoid using the / and ? characters in the host and schema of the JDBC Hook until the issue is resolved.