Vulnerability Details : CVE-2023-27604
Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.
It is recommended to upgrade to a version that is not affected.
This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.
Products affected by CVE-2023-27604
- cpe:2.3:a:apache:airflow_sqoop_provider:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-27604
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-27604
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-09-27 |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-27604
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@apache.org (Primary)
References for CVE-2023-27604
-
https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd
CVE-2023-27604: Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerability-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://github.com/apache/airflow/pull/33039
Validate SqoopHook connection string and disable extra options from public hook methods by pankajkoti · Pull Request #33039 · apache/airflow · GitHubPatch;Vendor Advisory
Jump to