CVE-2023-40195

Name of the Vulnerable Software and Affected Versions Apache Airflow Spark Provider versions prior to 4.1.3

Description The issue is related to deserialization of untrusted data and inclusion of functionality from an untrusted control sphere. When the Apache Spark provider is installed on an Airflow deployment, an authorized Airflow user can run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Administrators may have provided authorizations to configure Spark hooks without considering this risk, as it was not explicitly mentioned in the documentation prior to version 4.1.3.

Recommendations To resolve the issue, administrators should review their configurations to ensure that authorization to configure Spark hooks is only provided to fully trusted users. For versions prior to 4.1.3, consider restricting access to the Spark hooks configuration to minimize the risk of exploitation until a patch is available.