SB2023120162 - Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS Provider



SB2023120162 - Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS Provider

Published: December 1, 2023

Security Bulletin ID SB2023120162
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Inclusion of functionality from untrusted control sphere (CVE-ID: CVE-2023-41267)

CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability is caused by an error in software documentation, which instructed users to install an unclaimed pip package. An attacker could claim the package name and potentially compromise the affected system.


Remediation

Install update from vendor's website.