Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerability
CVE-2023-27604

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow Sqoop Provider
Vendor: CVE Published:; 28 August 2023

What is CVE-2023-27604?

The Apache Airflow Sqoop Provider prior to version 4.0.0 possesses a vulnerability that allows an authenticated attacker to exploit connection parameters, which can lead to remote code execution (RCE) through the 'sqoop import --connect' command. This vulnerability requires the attacker to be logged in and possess permissions to create or edit connections, enabling potential unauthorized access to Airflow server permissions. It is crucial to upgrade to a non-affected version to mitigate this risk. Reports regarding this issue were made by members of independent security teams.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Airflow Sqoop Provider 0 < 4.0.0

References

https://github.com/apache/airflow/pull/33039

patch

https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 28, 2023
Vulnerability Reserved
Mar 4, 2023

Credit

happyhacking-k

Xie Jianming of Caiji Sec Team

Liu Hui of Caiji Sec Team

JSON

Apache

What is CVE-2023-27604?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.