ghsa-ffj9-4crc-q7wf
Vulnerability from github
Published
2023-04-07 15:30
Modified
2023-04-14 20:26
Severity
Summary
Apache Airflow Spark Provider vulnerable to improper input validation
Details
Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain / and ? which is used to denote the end of the field.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow-providers-apache-spark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28710"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-07T22:22:39Z",
"nvd_published_at": "2023-04-07T15:15:00Z",
"severity": "HIGH"
},
"details": "Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain `/` and `?` which is used to denote the end of the field.",
"id": "GHSA-ffj9-4crc-q7wf",
"modified": "2023-04-14T20:26:33Z",
"published": "2023-04-07T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28710"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/30223"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/04/07/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow Spark Provider vulnerable to improper input validation"
}
Loading...