Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nM205LXByNW0tNGN2cM4AA1hq
Airflow Sqoop Provider RCE Vulnerability
Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.
It is recommended to upgrade to a version that is not affected.
This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nM205LXByNW0tNGN2cM4AA1hq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-g3m9-pr5m-4cvp, CVE-2023-27604
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-27604
- https://github.com/apache/airflow/pull/33039
- https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd
- https://github.com/advisories/GHSA-g3m9-pr5m-4cvp
Blast Radius: 9.8
Affected Packages
pypi:apache-airflow-providers-apache-sqoop
Dependent packages: 3Dependent repositories: 13
Downloads: 9,792 last month
Affected Version Ranges: < 4.0.0
Fixed in: 4.0.0
All affected versions: 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1
All unaffected versions: 4.0.0, 4.1.0, 4.2.0, 4.2.1