Apache Airflow Drill Provider Arbitrary File Read Vulnerability
CVE-2023-39553

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow Drill Provider
Vendor: CVE Published:; 11 August 2023

Summary

Apache Airflow Drill Provider suffers from an improper input validation flaw that enables attackers to send malicious parameters during the connection setup with DrillHook. This exploitation can lead to unauthorized file access on the Airflow server. It is crucial to update to version 2.4.3 or later to safeguard against this vulnerability and maintain the integrity of your systems.

Affected Version(s)

Apache Airflow Drill Provider 0 < 2.4.3

References

https://github.com/apache/airflow/pull/33074

patch

https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxy...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/08/11/1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 11, 2023
Vulnerability Reserved
Aug 5, 2023

Credit

sw0rd1ight of Caiji Sec Team and 4ra1n of Chaitin Tech