====================================================================

                             CERT-Renater

                  Note d'Information No. 2023/VULN240

_____________________________________________________________________

DATE                : 03/07/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow Hive Provider
                            versions prior to 6.1.1.

====================================================================
https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y
_____________________________________________________________________

CVE-2023-35797: Apache Airflow Hive Provider Beeline RCE with
Principal
Severity: moderate

Affected versions:

- Apache Airflow Apache Hive Provider before 6.1.1

Description:

Improper Input Validation vulnerability in Apache Software Foundation
Apache Airflow Hive Provider.

This issue affects Apache Airflow Apache Hive Provider: before 6.1.1.

Before version 6.1.1 it was possible to bypass the security check to
RCE via principal parameter. For this to be exploited it requires
access to modifying the connection details.

It is recommended updating provider version to 6.1.1 in order to
avoid this vulnerability.


Credit:

id_No2015429 of 3H Secruity Team (reporter)


References:

https://github.com/apache/airflow/pull/31983
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-35797

========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
========================================================