Lucene search

GitHub Advisory DatabaseGHSA-MM87-C3X2-6F89

HistoryJun 29, 2023 - 12:30 p.m.

Apache Airflow JDBC Provider Improper Input Validation vulnerability

2023-06-2912:30:24

CWE-20

GitHub Advisory Database

github.com

apache airflow

input validation

vulnerability

jdbc provider

rce attacks

apache software foundation

security issue

connection url

permission

software update

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

31.1%

JSON

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0.

Affected configurations

Vulners

Node

apacheapache-airflow-providers-jdbcRange<4.0.0

VendorProductVersionCPE
apacheapache-airflow-providers-jdbc*cpe:2.3:a:apache:apache-airflow-providers-jdbc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	apache-airflow-providers-jdbc	*	cpe:2.3:a:apache:apache-airflow-providers-jdbc::::::::

References

github.com/advisories/GHSA-mm87-c3x2-6f89

lists.apache.org/thread/ynbjwp4n0vzql0xzhog1gkp1ovncf8j3

nvd.nist.gov/vuln/detail/CVE-2023-22886

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

31.1%

JSON

Related for GHSA-MM87-C3X2-6F89