Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS provider - CVE-2023-41267
Published: December 1, 2023
Vulnerability identifier: #VU83624
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-41267
CWE-ID: CWE-829
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow HDFS provider
Apache Airflow HDFS provider
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability is caused by an error in software documentation, which instructed users to install an unclaimed pip package. An attacker could claim the package name and potentially compromise the affected system.
How to mitigate CVE-2023-41267
Install updates from vendor's website.