Main Vulnerability Database Vulnerabilities #VU83624

Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS provider - CVE-2023-41267

Published: December 1, 2023

Vulnerability identifier: #VU83624

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-41267

CWE-ID: CWE-829

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Airflow HDFS provider

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability is caused by an error in software documentation, which instructed users to install an unclaimed pip package. An attacker could claim the package name and potentially compromise the affected system.

Remediation

Install updates from vendor's website.

External links

https://github.com/apache/airflow/pull/33813
https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z
http://www.openwall.com/lists/oss-security/2023/09/14/3

Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS provider - CVE-2023-41267

Description

Remediation

External links

Please verify you're human