CVE-2023-28706 – apache-airflow-providers-apache-hive

Package

Manager: pip
Name: apache-airflow-providers-apache-hive
Vulnerable Version: >=0 <6.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0099 pctl0.76017

Details

Apache Airflow Hive Provider vulnerable to code injection Apache Software Foundation's Apache Airflow Hive Provider before 6.0.0 is vulnerable to improper control of generation of code.

Metadata

Created: 2023-04-07T15:30:38Z
Modified: 2023-04-14T20:31:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-5cvg-9pp5-mxcj/GHSA-5cvg-9pp5-mxcj.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-5cvg-9pp5-mxcj
Finding: F184
Auto approve: 1