CVE-2023-28710 – apache-airflow-providers-apache-spark

Package

Manager: pip
Name: apache-airflow-providers-apache-spark
Vulnerable Version: >=0 <4.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00254 pctl0.48538

Details

Apache Airflow Spark Provider vulnerable to improper input validation Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain `/` and `?` which is used to denote the end of the field.

Metadata

Created: 2023-04-07T15:30:38Z
Modified: 2023-04-14T20:26:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-ffj9-4crc-q7wf/GHSA-ffj9-4crc-q7wf.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-ffj9-4crc-q7wf
Finding: F184
Auto approve: 1