Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycng0LTlmNWgtOWdqZs4AA0cY
Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.
In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
Permalink: https://github.com/advisories/GHSA-2rx4-9f5h-9gjfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycng0LTlmNWgtOWdqZs4AA0cY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2rx4-9f5h-9gjf, CVE-2023-33234
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33234
- https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq
- https://github.com/advisories/GHSA-2rx4-9f5h-9gjf
Affected Packages
pypi:apache-airflow-providers-cncf-kubernetes
Dependent packages: 28Dependent repositories: 124
Downloads: 2,711,619 last month
Affected Version Ranges: >= 5.0.0, < 7.0.0
Fixed in: 7.0.0
All affected versions: 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 6.0.0, 6.1.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.6.0, 7.7.0, 7.8.0, 7.9.0, 7.10.0, 7.11.0, 7.12.0, 7.13.0, 7.14.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0