CVE-2023-33234

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq	Mailing List Vendor Advisory
https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow_cncf_kubernetes:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-30 11:15

Updated : 2024-11-21 08:05

NVD link : CVE-2023-33234

Mitre link : CVE-2023-33234

CVE.ORG link : CVE-2023-33234

JSON object : View

Products Affected

apache

airflow_cncf_kubernetes

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2023-33234", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-05-30T11:15:09.553", "references": [{"url": "https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.\n\nIn order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner.\u00a0 Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.\n\n"}], "lastModified": "2024-11-21T08:05:12.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow_cncf_kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2DC677D-0A37-459F-841D-69C620183C1F", "versionEndExcluding": "7.0.0", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}