PT-2023-4419 · Apache · Apache Airflow Drill Provider
4Ra1N
+2
·
Published
2023-08-11
·
Updated
2024-10-01
·
CVE-2023-39553
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow Drill Provider versions prior to 2.4.3
Description
The issue is related to improper input validation in Apache Airflow Drill Provider, allowing an attacker to pass malicious parameters when establishing a connection with DrillHook. This gives the attacker an opportunity to read files on the Airflow server.
Recommendations
For versions prior to 2.4.3, it is recommended to upgrade to a version that is not affected. As a temporary workaround, consider restricting access to the DrillHook connection to minimize the risk of exploitation.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow Drill Provider