oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-34395: Apache Airflow ODBC Provider: Remote code execution vulnerability

From: Elad Kalif <eladkal () apache org>
Date: Mon, 26 Jun 2023 15:52:56 +0000
Severity: moderate

Affected versions:

- Apache Airflow ODBC Provider before 4.0.0

Description:

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software 
Foundation Apache Airflow ODBC Provider.
In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that 
allow the loading of arbitrary dynamic-link libraries, resulting in command execution.
Starting version 4.0.0 driver can be set only from the hook constructor.
This issue affects Apache Airflow ODBC Provider: before 4.0.0.

Credit:

KmhlYXJ0 (finder)

References:

https://github.com/apache/airflow/pull/31713
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-34395
Previous By Date Next
Previous By Thread Next

Current thread: