CVE-2023-33234 — Injection in Apache Airflow Cncf Kubernetes

CWE-74 — Injection4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 35.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Airflow Cncf Kubernetes Apache Software Foundation Apache Airflow Cncf Kubernetes Provider

Timeline

PublishedMay 30

Latest updateJul 6

Description

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_airflow_cncf_kubernetes_provider5.0.0 — 6.1.0

▶NVDapache/airflow_cncf_kubernetes5.0.0 — 7.0.0

🔴Vulnerability Details

GHSA

Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration↗2023-07-06

▶

OSV

Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration↗2023-07-06

▶

CVEList

Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration↗2023-05-30

▶