Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mZmo5LTRjcmMtcTd3Zs4AAyn3
Apache Airflow Spark Provider vulnerable to improper input validation
Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain / and ? which is used to denote the end of the field.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZmo5LTRjcmMtcTd3Zs4AAyn3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-ffj9-4crc-q7wf, CVE-2023-28710
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28710
- https://github.com/apache/airflow/pull/30223
- https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2
- http://www.openwall.com/lists/oss-security/2023/04/07/3
- https://github.com/advisories/GHSA-ffj9-4crc-q7wf
Blast Radius: 13.8
Affected Packages
pypi:apache-airflow-providers-apache-spark
Dependent packages: 5Dependent repositories: 69
Downloads: 184,375 last month
Affected Version Ranges: < 4.0.1
Fixed in: 4.0.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 4.0.0
All unaffected versions: 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.8.0