Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Apache Airflow MSSQL Provider by Apache Software Foundation
CVE-2023-35798 (GCVE-0-2023-35798)
Vulnerability from nvd – Published: 2023-06-27 11:39 – Updated: 2024-10-07 18:25
VLAI?
Title
Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
Summary
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.
This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.
It is recommended to upgrade to a version that is not affected
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:24:53.811281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:25:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Airflow MSSQL Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.\u003cp\u003eThis\u0026nbsp;vulnerability is considered low since it requires DAG code to use `\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eget_sqlalchemy_connection` and someone with access to connection resources specifically\u0026nbsp;updating the connection to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploit it.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\u003cbr\u003e\u003cbr\u003eIt is recommended to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupgrade to a version that is not affected\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\n\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\n\nIt is recommended to\u00a0upgrade to a version that is not affected\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:39:51.759Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35798",
"datePublished": "2023-06-27T11:39:51.759Z",
"dateReserved": "2023-06-17T20:00:14.715Z",
"dateUpdated": "2024-10-07T18:25:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35798 (GCVE-0-2023-35798)
Vulnerability from cvelistv5 – Published: 2023-06-27 11:39 – Updated: 2024-10-07 18:25
VLAI?
Title
Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
Summary
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.
This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.
It is recommended to upgrade to a version that is not affected
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:24:53.811281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:25:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Airflow MSSQL Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.\u003cp\u003eThis\u0026nbsp;vulnerability is considered low since it requires DAG code to use `\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eget_sqlalchemy_connection` and someone with access to connection resources specifically\u0026nbsp;updating the connection to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploit it.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\u003cbr\u003e\u003cbr\u003eIt is recommended to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupgrade to a version that is not affected\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\n\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\n\nIt is recommended to\u00a0upgrade to a version that is not affected\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:39:51.759Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35798",
"datePublished": "2023-06-27T11:39:51.759Z",
"dateReserved": "2023-06-17T20:00:14.715Z",
"dateUpdated": "2024-10-07T18:25:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}