Just to add severity: moderate.
On Mon, Nov 21, 2022 at 9:41 PM Jarek Potiuk <pot...@apache.org> wrote:
>
> Description:
>
> Improper Neutralization of Special Elements used in an OS Command ('OS
> Command Injection') vulnerability in Apache Airflow Spark Provider, Apache
> Airflow allows an attacker to read arbtrary files in the task execution
> context, without write access to DAG files. This issue affects Spark Provider
> versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to
> 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be
> installed for Airflow 2.3.0+). Note that you need to manually install the
> Spark Provider version 4.0.0 in order to get rid of the vulnerability on top
> of Airflow 2.3.0+ version that has lower version of the Spark Provider
> installed).
>
> Credit:
>
> Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for
> reporting the issue.
>
> References:
>
> https://github.com/apache/airflow/pull/27646
>
