Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for apache-airflow-providers-odbc by apache
CVE-2023-35798 (GCVE-0-2023-35798)
Vulnerability from nvd – Published: 2023-06-27 11:39 – Updated: 2024-10-07 18:25
VLAI
Title
Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
Summary
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.
This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.
It is recommended to upgrade to a version that is not affected
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/31984 | patch |
| https://lists.apache.org/thread/951rb9m7wwox5p30t… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|
| Apache Software Foundation | Apache Airflow MSSQL Provider |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:24:53.811281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:25:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Airflow MSSQL Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.\u003cp\u003eThis\u0026nbsp;vulnerability is considered low since it requires DAG code to use `\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eget_sqlalchemy_connection` and someone with access to connection resources specifically\u0026nbsp;updating the connection to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploit it.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\u003cbr\u003e\u003cbr\u003eIt is recommended to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupgrade to a version that is not affected\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\n\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\n\nIt is recommended to\u00a0upgrade to a version that is not affected\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:39:51.759Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35798",
"datePublished": "2023-06-27T11:39:51.759Z",
"dateReserved": "2023-06-17T20:00:14.715Z",
"dateUpdated": "2024-10-07T18:25:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34395 (GCVE-0-2023-34395)
Vulnerability from nvd – Published: 2023-06-27 11:36 – Updated: 2024-10-07 18:24
VLAI
Title
Apache Airflow ODBC Provider: Remote code execution vulnerability
Summary
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.
In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.
Starting version 4.0.0 driver can be set only from the hook constructor.
This issue affects Apache Airflow ODBC Provider: before 4.0.0.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/31713 | patch |
| https://lists.apache.org/thread/l26yykftzbhc9tgcp… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|
| apache | apache-airflow-providers-odbc |
Affected:
0 , < 4.0.0
(custom)
cpe:2.3:a:apache:apache-airflow-providers-odbc:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:06.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31713"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-odbc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-odbc",
"vendor": "apache",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:23:00.326391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:24:32.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "KmhlYXJ0"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.\u003cbr\u003e\u003c/span\u003eStarting version 4.0.0 driver can be set only from the hook constructor.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.\nIn OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.\nStarting version 4.0.0 driver can be set only from the hook constructor.\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:36:58.116Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31713"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow ODBC Provider: Remote code execution vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-34395",
"datePublished": "2023-06-27T11:36:58.116Z",
"dateReserved": "2023-06-03T15:26:13.230Z",
"dateUpdated": "2024-10-07T18:24:32.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35798 (GCVE-0-2023-35798)
Vulnerability from cvelistv5 – Published: 2023-06-27 11:39 – Updated: 2024-10-07 18:25
VLAI
Title
Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
Summary
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.
This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.
It is recommended to upgrade to a version that is not affected
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/31984 | patch |
| https://lists.apache.org/thread/951rb9m7wwox5p30t… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|
| Apache Software Foundation | Apache Airflow MSSQL Provider |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:24:53.811281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:25:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Airflow MSSQL Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.\u003cp\u003eThis\u0026nbsp;vulnerability is considered low since it requires DAG code to use `\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eget_sqlalchemy_connection` and someone with access to connection resources specifically\u0026nbsp;updating the connection to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploit it.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\u003cbr\u003e\u003cbr\u003eIt is recommended to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupgrade to a version that is not affected\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\n\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\n\nIt is recommended to\u00a0upgrade to a version that is not affected\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:39:51.759Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35798",
"datePublished": "2023-06-27T11:39:51.759Z",
"dateReserved": "2023-06-17T20:00:14.715Z",
"dateUpdated": "2024-10-07T18:25:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34395 (GCVE-0-2023-34395)
Vulnerability from cvelistv5 – Published: 2023-06-27 11:36 – Updated: 2024-10-07 18:24
VLAI
Title
Apache Airflow ODBC Provider: Remote code execution vulnerability
Summary
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.
In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.
Starting version 4.0.0 driver can be set only from the hook constructor.
This issue affects Apache Airflow ODBC Provider: before 4.0.0.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/31713 | patch |
| https://lists.apache.org/thread/l26yykftzbhc9tgcp… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|
| apache | apache-airflow-providers-odbc |
Affected:
0 , < 4.0.0
(custom)
cpe:2.3:a:apache:apache-airflow-providers-odbc:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:06.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31713"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-odbc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-odbc",
"vendor": "apache",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:23:00.326391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:24:32.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "KmhlYXJ0"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.\u003cbr\u003e\u003c/span\u003eStarting version 4.0.0 driver can be set only from the hook constructor.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.\nIn OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.\nStarting version 4.0.0 driver can be set only from the hook constructor.\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:36:58.116Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31713"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow ODBC Provider: Remote code execution vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-34395",
"datePublished": "2023-06-27T11:36:58.116Z",
"dateReserved": "2023-06-03T15:26:13.230Z",
"dateUpdated": "2024-10-07T18:24:32.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}