Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Apache Airflow HDFS Provider by Apache Software Foundation

    CVE-2023-41267 (GCVE-0-2023-41267)

    Vulnerability from nvd – Published: 2023-09-14 07:46 – Updated: 2025-02-13 17:09
    VLAI
    Title
    Apache HDFS Provider error message suggested installation of incorrect pip package
    Summary
    In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Airflow HDFS Provider Affected: 0 , < 4.1.1 (semver)
    Create a notification for this product.
    apache airflow_hdfs_provider Affected: 0 , < 4.1.1 (custom)
        cpe:2.3:a:apache:airflow_hdfs_provider:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    AnupamAs01
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:54:05.175Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/apache/airflow/pull/33813"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/09/14/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:airflow_hdfs_provider:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "airflow_hdfs_provider",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThan": "4.1.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41267",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T18:21:31.272359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T18:23:52.898Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org/",
              "defaultStatus": "unaffected",
              "packageName": "apache-airflow-providers-apache-hdfs",
              "product": "Apache Airflow HDFS Provider",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "4.1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "AnupamAs01"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation\u0026nbsp;info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation\u00a0info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-14T17:06:14.082Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/airflow/pull/33813"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2023/09/14/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache HDFS Provider error message suggested installation of incorrect pip package",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-41267",
        "datePublished": "2023-09-14T07:46:42.191Z",
        "dateReserved": "2023-08-27T21:27:41.472Z",
        "dateUpdated": "2025-02-13T17:09:00.280Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-41267 (GCVE-0-2023-41267)

    Vulnerability from cvelistv5 – Published: 2023-09-14 07:46 – Updated: 2025-02-13 17:09
    VLAI
    Title
    Apache HDFS Provider error message suggested installation of incorrect pip package
    Summary
    In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Airflow HDFS Provider Affected: 0 , < 4.1.1 (semver)
    Create a notification for this product.
    apache airflow_hdfs_provider Affected: 0 , < 4.1.1 (custom)
        cpe:2.3:a:apache:airflow_hdfs_provider:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    AnupamAs01
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:54:05.175Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/apache/airflow/pull/33813"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/09/14/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:airflow_hdfs_provider:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "airflow_hdfs_provider",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThan": "4.1.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41267",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T18:21:31.272359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T18:23:52.898Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.python.org/",
              "defaultStatus": "unaffected",
              "packageName": "apache-airflow-providers-apache-hdfs",
              "product": "Apache Airflow HDFS Provider",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "4.1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "AnupamAs01"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation\u0026nbsp;info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation\u00a0info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-14T17:06:14.082Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/apache/airflow/pull/33813"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2023/09/14/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache HDFS Provider error message suggested installation of incorrect pip package",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-41267",
        "datePublished": "2023-09-14T07:46:42.191Z",
        "dateReserved": "2023-08-27T21:27:41.472Z",
        "dateUpdated": "2025-02-13T17:09:00.280Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }