CVE-2023-34395 – Apache Airflow ODBC Provider: Remote code execution vulnerability
https://notcve.org/view.php?id=CVE-2023-34395
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0. • https://github.com/apache/airflow/pull/31713 https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2023-28710 – Apache Airflow Spark Provider Arbitrary File Read via JDBC
https://notcve.org/view.php?id=CVE-2023-28710
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1. • http://www.openwall.com/lists/oss-security/2023/04/07/3 https://github.com/apache/airflow/pull/30223 https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2 • CWE-20: Improper Input Validation •
CVE-2023-28707 – Airflow Apache Drill Provider Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-28707
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. • http://www.openwall.com/lists/oss-security/2023/04/07/1 https://github.com/apache/airflow/pull/30215 https://lists.apache.org/thread/dfoj7q1nd0vhhsl8fjg63z4j6mfmdxtk • CWE-20: Improper Input Validation •
CVE-2023-25956 – Apache Airflow AWS Provider: Arbitrary file read via AWS provider
https://notcve.org/view.php?id=CVE-2023-25956
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1. • https://github.com/apache/airflow/pull/29587 https://lists.apache.org/thread/07pl9y4gdpw2c6rzqm77dvkm2z2kb5gv • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2023-25696 – Apache Airflow Hive Provider Beeline RCE
https://notcve.org/view.php?id=CVE-2023-25696
Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. • https://github.com/apache/airflow/pull/29502 https://lists.apache.org/thread/99g0qm56wmgdxmbtdsvhj4rdnxhpzpml • CWE-20: Improper Input Validation •