CVE-2023-41267

2023-09-1408:15:07

CWE-829

[email protected]

web.nvd.nist.gov

apache airflow

hdfs provider

cve-2023-41267

security vulnerability

code execution

pip package

nvd

apache airflow 4.1.1

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

JSON

In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1

Affected configurations

Vulners

NVD

Node

apacheairflow_hdfs_providerRange≤4.1.1

CPENameOperatorVersion
apache:airflow_hdfs_providerapache airflow hdfs providerlt4.1.1

CPE	Name	Operator	Version
apache:airflow_hdfs_provider	apache airflow hdfs provider	lt	4.1.1

CNA Affected

[
  {
    "collectionURL": "https://pypi.python.org/",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow-providers-apache-hdfs",
    "product": "Apache Airflow HDFS Provider",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.1.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]