Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NXBmLXI0YzctM2o5cs4AAyn4
Apache Airflow Drill Provider vulnerable to improper input validation
Apache Software Foundation's Apache Airflow Drill Provider before 2.3.2 is vulnerable to improper input validation because the host passed in drill connection is not sanitized.
Permalink: https://github.com/advisories/GHSA-85pf-r4c7-3j9rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NXBmLXI0YzctM2o5cs4AAyn4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-85pf-r4c7-3j9r, CVE-2023-28707
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28707
- https://github.com/apache/airflow/pull/30215
- https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk
- http://www.openwall.com/lists/oss-security/2023/04/07/1
- https://github.com/advisories/GHSA-85pf-r4c7-3j9r
Blast Radius: 3.6
Affected Packages
pypi:apache-airflow-providers-apache-drill
Dependent packages: 3Dependent repositories: 3
Downloads: 22,534 last month
Affected Version Ranges: < 2.3.2
Fixed in: 2.3.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1
All unaffected versions: 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.6.0, 2.6.1, 2.7.0