=====================================================================

                               CERT-Renater

                   Note d'Information No. 2023/VULN016

_____________________________________________________________________

DATE                : 24/01/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                           to 2.5.1,
                Apache Airflow MySQL Provider versions prior to 4.0.0.

=====================================================================
https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h
_____________________________________________________________________

CVE-2023-22884: Apache Airflow, Apache Airflow MySQL Provider:
Arbitrary file read via MySQL provider in Apache Airflow


Jarek Potiuk - samedi 21 janvier 2023 01:50:27 UTC+1

Severity: important

Description:

Improper Neutralization of Special Elements used in a Command
('Command Injection') vulnerability in Apache Software Foundation
Apache Airflow, Apache Software Foundation Apache Airflow MySQL
Provider.This issue affects Apache Airflow: before 2.5.1;
Apache Airflow MySQL Provider: before 4.0.0.


Credit:

Son Tran from VNPT - VCI (reporter)


References:

https://github.com/apache/airflow/pull/28811
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-22884


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================