Hi Jarek, Any indication what severity tier this bug might be?
Regards, Adam The Daily Swig On Mon, 21 Nov 2022 at 21:46, Jarek Potiuk <[email protected]> wrote: > Description: > > Improper Neutralization of Special Elements used in an OS Command ('OS > Command Injection') vulnerability in Apache Airflow Spark Provider, Apache > Airflow allows an attacker to read arbtrary files in the task execution > context, without write access to DAG files. This issue affects Spark > Provider versions prior to 4.0.0. It also impacts any Apache Airflow > versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider > 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to > manually install the Spark Provider version 4.0.0 in order to get rid of > the vulnerability on top of Airflow 2.3.0+ version that has lower version > of the Spark Provider installed). > > Credit: > > Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for > reporting the issue. > > References: > > https://github.com/apache/airflow/pull/27646 > > -- *Adam Bannister* *The Daily Swig* https://portswigger.net/daily-swig
