Apache Airflow Hive Provider Beeline Remote Command Execution
CVE-2023-28706

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Airflow Hive Provider
Vendor: CVE Published:; 7 April 2023

Summary

A vulnerability exists in the Apache Airflow Hive Provider, where improper control during code generation could lead to code injection attacks. This can enable unauthorized actions and manipulation of input data by malicious actors, potentially compromising the integrity of the application. Users are advised to upgrade to version 6.0.0 or later to mitigate this risk.

Affected Version(s)

Apache Airflow Hive Provider 0 < 6.0.0

References

https://github.com/apache/airflow/pull/30212

patch

https://lists.apache.org/thread/dl20xxd51xvlx0zzc0wzgxfjw...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/07/2

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 7, 2023
Vulnerability Reserved
Mar 21, 2023

Credit

sw0rd1ight of Caiji Sec Team and 4ra1n of Chaitin Tech