Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Apache Airflow MSSQL Provider by Apache Software Foundation
CVE-2023-35798 (GCVE-0-2023-35798)
Vulnerability from nvd – Published: 2023-06-27 11:39 – Updated: 2024-10-07 18:25
VLAI
Title
Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
Summary
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.
This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.
It is recommended to upgrade to a version that is not affected
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/31984 | patch |
| https://lists.apache.org/thread/951rb9m7wwox5p30t… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|
| Apache Software Foundation | Apache Airflow MSSQL Provider |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:24:53.811281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:25:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Airflow MSSQL Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.\u003cp\u003eThis\u0026nbsp;vulnerability is considered low since it requires DAG code to use `\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eget_sqlalchemy_connection` and someone with access to connection resources specifically\u0026nbsp;updating the connection to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploit it.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\u003cbr\u003e\u003cbr\u003eIt is recommended to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupgrade to a version that is not affected\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\n\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\n\nIt is recommended to\u00a0upgrade to a version that is not affected\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:39:51.759Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35798",
"datePublished": "2023-06-27T11:39:51.759Z",
"dateReserved": "2023-06-17T20:00:14.715Z",
"dateUpdated": "2024-10-07T18:25:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35798 (GCVE-0-2023-35798)
Vulnerability from cvelistv5 – Published: 2023-06-27 11:39 – Updated: 2024-10-07 18:25
VLAI
Title
Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability
Summary
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.
This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.
It is recommended to upgrade to a version that is not affected
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/31984 | patch |
| https://lists.apache.org/thread/951rb9m7wwox5p30t… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow ODBC Provider |
Affected:
0 , < 4.0.0
(semver)
|
|
| Apache Software Foundation | Apache Airflow MSSQL Provider |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:24:53.811281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:25:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow ODBC Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Airflow MSSQL Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.\u003cp\u003eThis\u0026nbsp;vulnerability is considered low since it requires DAG code to use `\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eget_sqlalchemy_connection` and someone with access to connection resources specifically\u0026nbsp;updating the connection to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploit it.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\u003cbr\u003e\u003cbr\u003eIt is recommended to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupgrade to a version that is not affected\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\n\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\n\nIt is recommended to\u00a0upgrade to a version that is not affected\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T11:39:51.759Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31984"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35798",
"datePublished": "2023-06-27T11:39:51.759Z",
"dateReserved": "2023-06-17T20:00:14.715Z",
"dateUpdated": "2024-10-07T18:25:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}