CVE-2023-34395

Name of the Vulnerable Software and Affected Versions Apache Airflow ODBC Provider versions prior to 4.0.0

Description A privilege escalation vulnerability exists due to controllable ODBC driver parameters in OdbcHook, allowing the loading of arbitrary dynamic-link libraries and resulting in command execution. This issue is related to improper neutralization of argument delimiters in a command, also known as 'Argument Injection'. The vulnerability enables the execution of commands, potentially leading to system compromise.

Recommendations For versions prior to 4.0.0, consider restricting access to the OdbcHook and limiting the ability to load dynamic-link libraries until a fixed version is available. As a temporary workaround, restrict the use of controllable ODBC driver parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.