Lucene search

[email protected]CVE-2023-34395

HistoryJun 27, 2023 - 12:15 p.m.

CVE-2023-34395

2023-06-2712:15:13

CWE-88

[email protected]

web.nvd.nist.gov

cve-2023-34395

apache airflow

odbc provider

vulnerability

command execution

privilege escalation

nvd

apache software foundation

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.
In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.
Starting version 4.0.0 driver can be set only from the hook constructor.
This issue affects Apache Airflow ODBC Provider: before 4.0.0.

CPENameOperatorVersion
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbclt4.0.0
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq2.0.3
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq2.4.0
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq3.1.0
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq3.1.2
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq2.0.1
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq2.0.0
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq1.3.1
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq2.0.4
apache:apache-airflow-providers-odbcapache apache-airflow-providers-odbceq2.2.0

CPE	Name	Operator	Version
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	lt	4.0.0
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	2.0.3
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	2.4.0
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	3.1.0
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	3.1.2
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	2.0.1
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	2.0.0
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	1.3.1
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	2.0.4
apache:apache-airflow-providers-odbc	apache apache-airflow-providers-odbc	eq	2.2.0

Rows per page:

1-10 of 191

References

github.com/apache/airflow/pull/31713

lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

Related for CVE-2023-34395

cvelist1 prion1 github1 cnvd1 osv2