CVE-2023-41267 – apache-airflow-providers-apache-hdfs

Package

Manager: pip
Name: apache-airflow-providers-apache-hdfs
Vulnerable Version: >=0 <4.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00492 pctl0.64673

Details

Apache HDFS Provider error message suggested In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1

Metadata

Created: 2023-09-14T09:30:28Z
Modified: 2025-02-13T19:13:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-5hj9-m76g-xrc8/GHSA-5hj9-m76g-xrc8.json
CWE IDs: ["CWE-829"]
Alternative ID: GHSA-5hj9-m76g-xrc8
Finding: F410
Auto approve: 1