Vulnerability Details : CVE-2023-35798
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.
This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.
It is recommended to upgrade to a version that is not affected
Vulnerability category: Input validation
Products affected by CVE-2023-35798
- cpe:2.3:a:apache:apache-airflow-providers-odbc:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apache-airflow-providers-microsoft-mssql:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-35798
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-35798
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2023-35798
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@apache.org (Primary)
References for CVE-2023-35798
-
https://github.com/apache/airflow/pull/31984
Check if sqlalchemy_scheme extra contains forbidden characters by potiuk · Pull Request #31984 · apache/airflow · GitHubPatch;Vendor Advisory
-
https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj
CVE-2023-35798: Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability-Apache Mail ArchivesMailing List;Vendor Advisory
Jump to