Also want to credit id_No2015429 of 3H Security Team for this report of the same issue.
On 2023/08/11 04:57:45 Elad Kalif wrote: > Severity: moderate > > Affected versions: > > - Apache Airflow Drill Provider before 2.4.3 > > Description: > > Improper Input Validation vulnerability in Apache Software Foundation Apache > Airflow Drill Provider. > > Apache Airflow Drill Provider is affected by a vulnerability that allows an > attacker to pass in malicious parameters when establishing a connection with > DrillHook giving an opportunity to read files on the Airflow server. > This issue affects Apache Airflow Drill Provider: before 2.4.3. > It is recommended to upgrade to a version that is not affected. > > Credit: > > sw0rd1ight of Caiji Sec Team and 4ra1n of Chaitin Tech (finder) > > References: > > https://github.com/apache/airflow/pull/33074 > https://airflow.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2023-39553 > >