Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
CVE-2023-35798

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow Odbc Provider; Apache Airflow Mssql Provider
Vendor: CVE Published:; 27 June 2023

Summary

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use get_sqlalchemy_connection and someone with access to connection resources specifically updating the connection to exploit it.

This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.

It is recommended to upgrade to a version that is not affected

Affected Version(s)

Apache Airflow MSSQL Provider 0 < 3.4.1

Apache Airflow ODBC Provider 0 < 4.0.0

References

https://github.com/apache/airflow/pull/31984

patch

https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 27, 2023
Vulnerability Reserved
Jun 17, 2023

Credit

id_No2015429 of 3H Secruity Team