CVE-2023-41267

Name of the Vulnerable Software and Affected Versions Apache Airflow HDFS Provider versions prior to 4.1.1

Description The issue is related to the Apache Airflow HDFS Provider, where a documentation error pointed users to an incorrect pip package. This package name was unclaimed, potentially allowing an attacker to claim it and provide malicious code that would be executed upon installation. The Airflow team has taken ownership of the package and fixed the documentation in version 4.1.1.

Recommendations For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue. As a temporary workaround, consider avoiding the installation of unverified pip packages until the documentation is corrected. Restrict access to the package installation process to minimize the risk of exploitation.