Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1xNTd3LTgyNnAtNDZqcs4AA0Ff

Apache Airflow ODBC Provider, Apache Airflow MSSQL Provider Improper Input Validation vulnerability

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use get_sqlalchemy_connection and someone with access to connection resources specifically updating the connection to exploit it.

This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.

It is recommended to upgrade to a version that is not affected

Permalink: https://github.com/advisories/GHSA-q57w-826p-46jr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNTd3LTgyNnAtNDZqcs4AA0Ff
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-q57w-826p-46jr, CVE-2023-35798
References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-35798
• https://github.com/apache/airflow/pull/31984
• https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj
• https://github.com/apache/airflow/commit/b6836986846058e9e5fa271fb7b22ae721020787
• https://github.com/advisories/GHSA-q57w-826p-46jr

Repository: https://github.com/apache/airflow
Blast Radius: 6.2

Affected Packages