CVE-2023-27604: Improper Input Validation

August 28, 2023 (updated August 30, 2023)

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import –connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.

It is recommended to upgrade to a version that is not affected. This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.

References

github.com/advisories/GHSA-g3m9-pr5m-4cvp
github.com/apache/airflow/pull/33039
lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd
nvd.nist.gov/vuln/detail/CVE-2023-27604

Detect and mitigate CVE-2023-27604 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →