Lucene search

K
cveApacheCVE-2023-22886
HistoryJun 29, 2023 - 10:15 a.m.

CVE-2023-22886

2023-06-2910:15:09
CWE-20
apache
web.nvd.nist.gov
28
cve-2023-22886
improper input validation
apache
airflow
jdbc provider
rce
nvd
security vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

31.1%

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider.
Airflow JDBC Provider Connection’s [Connection URL] parameters had no
restrictions, which made it possible to implement RCE attacks via
different type JDBC drivers, obtain airflow server permission.
This issue affects Apache Airflow JDBC Provider: before 4.0.0.

Affected configurations

Nvd
Vulners
Node
apacheapache-airflow-providers-jdbcRange<4.0.0
VendorProductVersionCPE
apacheapache-airflow-providers-jdbc*cpe:2.3:a:apache:apache-airflow-providers-jdbc:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Airflow JDBC Provider",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.0.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

31.1%