oss-sec mailing list archives

CVE-2023-33234: Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

From: Elad Kalif <eladkal () apache org>
Date: Fri, 26 May 2023 19:54:52 +0000

Severity: low

Affected versions:

- Apache Airflow CNCF Kubernetes Provider 5.0.0 through 6.1.0

Description:

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar 
image and resources via Airflow connection.

In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the 
connection object in this manner.  Operators should upgrade to provider version 7.0.0 which has removed the 
vulnerability.

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-33234

Current thread:

CVE-2023-33234: Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration Elad Kalif (May 26)