CVE-2023-34395: Apache Airflow ODBC Provider: Remote code execution vulnerability

Elad Kalif Mon, 26 Jun 2023 10:54:24 -0700

Severity: moderate

Affected versions:


- Apache Airflow ODBC Provider before 4.0.0

Description:

Improper Neutralization of Argument Delimiters in a Command ('Argument 
Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC 
Provider.
In OdbcHook, A privilege escalation vulnerability exists in a system due to 
controllable ODBC driver parameters that allow the loading of arbitrary 
dynamic-link libraries, resulting in command execution.
Starting version 4.0.0 driver can be set only from the hook constructor.
This issue affects Apache Airflow ODBC Provider: before 4.0.0.

Credit:

KmhlYXJ0 (finder)

References:

https://github.com/apache/airflow/pull/31713
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-34395

CVE-2023-34395: Apache Airflow ODBC Provider: Remote code execution vulnerability

Reply via email to