PT-2023-4070 · Apache · Apache Airflow
Elad Kalif
·
Published
2023-05-26
·
Updated
2024-10-10
·
CVE-2023-33234
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Airflow CNCF Kubernetes provider version 5.0.0
Description
The issue is related to a weakness in the procedure for neutralizing special elements in output, which can allow an attacker to execute arbitrary code. This can be exploited by a user with elevated permissions (Op or Admin) to change the connection object, allowing them to change the xcom sidecar image and resources via Airflow connection.
Recommendations
Upgrade to provider version 7.0.0, which has removed the vulnerability.
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow