CVE-2023-40195

CWE-502 — Deserialization of Untrusted Data CWE-8295 documents4 sources

Severity

8.8HIGH

EPSS

2.1%

top 15.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Spark Provider Apache Airflow Spark Provider

Timeline

PublishedAug 28

Description

Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_airflow_spark_provider< 4.1.3

▶PyPIapache-airflow-providers-apache-spark< 4.1.3

▶NVDapache/airflow_spark_provider< 4.1.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Apache Airflow vulnerable arbitrary code execution via Spark server↗2023-08-28

▶

CVEList

Apache Airflow Spark Provider Deserialization Vulnerability RCE↗2023-08-28

▶

OSV

CVE-2023-40195: Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow↗2023-08-28

▶

OSV

Apache Airflow vulnerable arbitrary code execution via Spark server↗2023-08-28

▶