oss-sec mailing list archives
CVE-2023-33234: Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
From: Elad Kalif <eladkal () apache org>
Date: Fri, 26 May 2023 19:54:52 +0000
Severity: low Affected versions: - Apache Airflow CNCF Kubernetes Provider 5.0.0 through 6.1.0 Description: Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. References: https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-33234
Current thread:
- CVE-2023-33234: Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration Elad Kalif (May 26)