===================================================================                             CERT-Renater

                   Note d'Information No. 2023/VULN292

_____________________________________________________________________

DATE                : 05/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow Sqoop Provider
                                  versions prior to 4.0.0.

====================================================================https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd
_____________________________________________________________________

CVE-2023-27604: Apache Airflow Sqoop Provider: Airflow Sqoop Provider
RCE Vulnerability

Severity: moderate

Affected versions:

- Apache Airflow Sqoop Provider before 4.0.0

Description:

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by
a vulnerability that allows an attacker pass parameters with the
connections, which makes it possible to implement RCE attacks via
‘sqoop import --connect’, obtain airflow server permissions, etc.
The attacker needs to be logged in and have authorization
(permissions) to create/edit connections.

  It is recommended to upgrade to a version that is not affected.
This issue was reported independently by happyhacking-k, And Xie
Jianming and LiuHui of Caiji Sec Team also reported it.


Credit:

happyhacking-k (finder)
Xie Jianming of Caiji Sec Team (finder)
Liu Hui of Caiji Sec Team (finder)

References:

https://github.com/apache/airflow/pull/33039
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-27604

========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================