7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
51.8%
Apache airflow hdfs provider package is found to be vulnerable to code execution. Incorrect documentation points users to install an incorrect pip package. Since this package is unverified, an attacker can claim this package and provide code that would be executed when this package was installed.
CPE | Name | Operator | Version |
---|---|---|---|
apache-airflow-providers-apache-hdfs | le | 4.1.0 | |
apache-airflow-providers-apache-hdfs | le | 4.1.0 |
www.openwall.com/lists/oss-security/2023/09/14/3
github.com/apache/airflow/commit/dfa70b942348ba51be7594499ff54030375e4d89
github.com/apache/airflow/pull/33813
github.com/pierrejeambrun/airflow/commit/9a8c2044bd0dab209c1e4cbf11d59297664dab08#diff-264027cced805eba419bec85a94662c4c4e4b1251a7387aa24daf7e84c466a7b
lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z