Vulnerability Details : CVE-2023-39553
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.
Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.
This issue affects Apache Airflow Drill Provider: before 2.4.3.
It is recommended to upgrade to a version that is not affected.
Products affected by CVE-2023-39553
- cpe:2.3:a:apache:apache-airflow-providers-apache-drill:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-39553
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-39553
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-10-01 |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-39553
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@apache.org (Primary)
References for CVE-2023-39553
-
https://github.com/apache/airflow/pull/33074
Validate database URL passed to create_engine of Drill hook's connection by pankajkoti · Pull Request #33074 · apache/airflow · GitHubPatch
-
https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf
CVE-2023-39553: Apache Airflow Drill Provider Arbitrary File Read Vulnerability-Apache Mail ArchivesMailing List;Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2023/08/11/1
oss-security - CVE-2023-39553: Apache Airflow Drill Provider Arbitrary File Read VulnerabilityMailing List;Patch;Third Party Advisory
Jump to