I've added that in follow-up message: moderate
On Thu, Nov 24, 2022 at 12:12 PM Adam Bannister <[email protected]> wrote: > > Hi Jarek, > > Any indication what severity tier this bug might be? > > Regards, > Adam > The Daily Swig > > On Mon, 21 Nov 2022 at 21:46, Jarek Potiuk <[email protected]> wrote: >> >> Description: >> >> Improper Neutralization of Special Elements used in an OS Command ('OS >> Command Injection') vulnerability in Apache Airflow Spark Provider, Apache >> Airflow allows an attacker to read arbtrary files in the task execution >> context, without write access to DAG files. This issue affects Spark >> Provider versions prior to 4.0.0. It also impacts any Apache Airflow >> versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider >> 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to >> manually install the Spark Provider version 4.0.0 in order to get rid of the >> vulnerability on top of Airflow 2.3.0+ version that has lower version of the >> Spark Provider installed). >> >> Credit: >> >> Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for >> reporting the issue. >> >> References: >> >> https://github.com/apache/airflow/pull/27646 >> > > > -- > > Adam Bannister > The Daily Swig > https://portswigger.net/daily-swig
