Apache Airflow Spark Provider Arbitrary File Read via JDBC
CVE-2023-28710

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow Spark Provider
Vendor: CVE Published:; 7 April 2023

What is CVE-2023-28710?

An input validation issue exists in the Apache Airflow Spark Provider, affecting versions prior to 4.0.1, which may lead to unauthorized access or manipulation of data. Proper validation mechanisms are crucial to ensure that user inputs do not lead to unintended consequences within the application.

Affected Version(s)

Apache Airflow Spark Provider 0 < 4.0.1

References

https://github.com/apache/airflow/pull/30223

patch

https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/07/3

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2023
Vulnerability Reserved
Mar 21, 2023

Credit

Xie Jianming of Nsfocus