Apache Airflow Spark Provider Arbitrary File Read via JDBC
CVE-2023-40272

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow Spark Provider
Vendor: CVE Published:; 17 August 2023

What is CVE-2023-40272?

The Apache Airflow Spark Provider prior to version 4.1.3 contains a vulnerability that enables attackers to exploit insecure connection parameters. This flaw may allow unauthorized file access on the Airflow server, potentially leading to unauthorized data exposure and compromise. To mitigate this risk, users are urged to update to a secure version of the software.

Affected Version(s)

Apache Airflow Spark Provider 0 < 4.1.3

References

https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtq...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/08/17/1

http://www.openwall.com/lists/oss-security/2023/08/18/1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 17, 2023
Vulnerability Reserved
Aug 12, 2023

Credit

sw0rd1ight