Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
CVE-2023-35798

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow Odbc Provider; Apache Airflow Mssql Provider
Vendor: CVE Published:; 27 June 2023

What is CVE-2023-35798?

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use get_sqlalchemy_connection and someone with access to connection resources specifically updating the connection to exploit it.

This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.

It is recommended to upgrade to a version that is not affected

Affected Version(s)

Apache Airflow MSSQL Provider 0 < 3.4.1

Apache Airflow ODBC Provider 0 < 4.0.0

References

https://github.com/apache/airflow/pull/31984

patch

https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2023
Vulnerability Reserved
Jun 17, 2023

Credit

id_No2015429 of 3H Secruity Team