Lucene search

ApacheCVELIST:CVE-2023-22886

HistoryJun 29, 2023 - 9:41 a.m.

CVE-2023-22886 Apache Airflow JDBC Provider: RCE Vulnerability

2023-06-2909:41:00

CWE-20

apache

www.cve.org

cve-2023-22886

apache airflow

rce vulnerability

input validation

apache software foundation

jdbc provider

connection url

permission

security issue

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

31.1%

JSON

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider.
Airflow JDBC Provider Connection’s [Connection URL] parameters had no
restrictions, which made it possible to implement RCE attacks via
different type JDBC drivers, obtain airflow server permission.
This issue affects Apache Airflow JDBC Provider: before 4.0.0.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Airflow JDBC Provider",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.0.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

lists.apache.org/thread/ynbjwp4n0vzql0xzhog1gkp1ovncf8j3