CVE-2023-33234 – apache-airflow-providers-cncf-kubernetes

Package

Manager: pip
Name: apache-airflow-providers-cncf-kubernetes
Vulnerable Version: >=5.0.0 <7.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00264 pctl0.4964

Details

Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

Metadata

Created: 2023-07-06T21:15:06Z
Modified: 2023-07-06T23:54:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-2rx4-9f5h-9gjf/GHSA-2rx4-9f5h-9gjf.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-2rx4-9f5h-9gjf
Finding: F184
Auto approve: 1