Main Vulnerability Database SB2023120162

SB2023120162 - Inclusion of functionality from untrusted control sphere in Apache Airflow HDFS Provider

Published: December 1, 2023

Security Bulletin ID SB2023120162

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of functionality from untrusted control sphere (CVE-ID: CVE-2023-41267)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability is caused by an error in software documentation, which instructed users to install an unclaimed pip package. An attacker could claim the package name and potentially compromise the affected system.

Remediation

Install update from vendor's website.

References

https://github.com/apache/airflow/pull/33813
https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z
http://www.openwall.com/lists/oss-security/2023/09/14/3