Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01aGo5LW03NmcteHJjOM4AA13e
Apache HDFS Provider error message suggested
In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1
Permalink: https://github.com/advisories/GHSA-5hj9-m76g-xrc8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01aGo5LW03NmcteHJjOM4AA13e
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 2 months ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-5hj9-m76g-xrc8, CVE-2023-41267
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-41267
- https://github.com/apache/airflow/pull/33813
- https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z
- http://www.openwall.com/lists/oss-security/2023/09/14/3
- https://github.com/advisories/GHSA-5hj9-m76g-xrc8
Blast Radius: 9.4
Affected Packages
pypi:apache-airflow-providers-apache-hdfs
Dependent packages: 3Dependent repositories: 16
Downloads: 35,002 last month
Affected Version Ranges: < 4.1.1
Fixed in: 4.1.1
All affected versions: 1.0.0, 1.0.1, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0
All unaffected versions: 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0