Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerability
CVE-2023-27604

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow Sqoop Provider
Vendor: CVE Published:; 28 August 2023

Summary

The Apache Airflow Sqoop Provider prior to version 4.0.0 possesses a vulnerability that allows an authenticated attacker to exploit connection parameters, which can lead to remote code execution (RCE) through the 'sqoop import --connect' command. This vulnerability requires the attacker to be logged in and possess permissions to create or edit connections, enabling potential unauthorized access to Airflow server permissions. It is crucial to upgrade to a non-affected version to mitigate this risk. Reports regarding this issue were made by members of independent security teams.

Affected Version(s)

Apache Airflow Sqoop Provider 0 < 4.0.0

References

https://github.com/apache/airflow/pull/33039

patch

https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 28, 2023
Vulnerability Reserved
Mar 4, 2023

Credit

happyhacking-k

Xie Jianming of Caiji Sec Team

Liu Hui of Caiji Sec Team