Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS provider - CVE-2023-41267

 

Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS provider - CVE-2023-41267

Published: December 1, 2023


Vulnerability identifier: #VU83624
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-41267
CWE-ID: CWE-829
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow HDFS provider

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability is caused by an error in software documentation, which instructed users to install an unclaimed pip package. An attacker could claim the package name and potentially compromise the affected system.


How to mitigate CVE-2023-41267

Install updates from vendor's website.

Sources