=====================================================================

                                CERT-Renater

                     Note d'Information No. 2023/VULN256

_____________________________________________________________________

DATE                : 23/08/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow Spark Provider
                             versions prior to 4.1.3.

=====================================================================
https://lists.apache.org/thread/bl5lhyvb25hft54y2x7y1bfgzw4jpcql
_____________________________________________________________________

CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read
via JDBC
Severity: moderate

Affected versions:

- Apache Airflow Spark Provider before 4.1.3

Description:

Apache Airflow Spark Provider, versions before 4.1.3, is affected
by a vulnerability that allows an attacker to pass in malicious
parameters when establishing a connection giving an opportunity
to read files on the Airflow server.

It is recommended to upgrade to a version that is not affected.


Credit:

sw0rd1ight (finder)


References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-40272


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================