Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS Provider
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-41267 |
| CWE-ID | CWE-829 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apache Airflow HDFS provider Universal components / Libraries / Programming Languages & Components |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Inclusion of functionality from untrusted control sphere
EUVDB-ID: #VU83624
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-41267
CWE-ID:
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability is caused by an error in software documentation, which instructed users to install an unclaimed pip package. An attacker could claim the package name and potentially compromise the affected system.
Install updates from vendor's website.
Vulnerable software versionsApache Airflow HDFS provider: 1.0.0 - 4.1.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_airflow_hdfs_provider:1.0.0:*:*:*:*:apache_airflow:*:*
- cpe:2.3:a:apache_foundation:apache_airflow_hdfs_provider:1.0.1:*:*:*:*:apache_airflow:*:*
- cpe:2.3:a:apache_foundation:apache_airflow_hdfs_provider:2.0.0:*:*:*:*:apache_airflow:*:*
https://github.com/apache/airflow/pull/33813
https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z
https://www.openwall.com/lists/oss-security/2023/09/14/3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
