3 matches found
CVE-2022-40954
The CVE-2022-40954 issue is an OS Command Injection in the Apache Airflow Spark Provider that lets an attacker read arbitrary files in the task execution context without file write access to DAGs. Affected products: Spark Provider versions prior to 4.0.0 and Airflow versions prior to 2.3.0 when t...
CVE-2023-28710
Apache Airflow Spark Provider (before 4.0.1) is affected by CVE-2023-28710 due to improper input validation in the JDBC Hook, where host/schema can contain “/” or “?”, enabling an attacker to read arbitrary files during connection setup. Affected product: Apache Airflow Spark Provider prior to 4....
CVE-2023-40272
CVE-2023-40272 - Apache Airflow Spark Provider : Multiple sources describe a vulnerability in the Airflow Spark Provider for versions before 4.1.3 where an attacker can pass malicious parameters during connection establishment, enabling reading of files on the Airflow server. Affected software: A...