Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
2023-05-30T11:15:09.553
2024-11-21T08:05:12.210
Modified
CVSSv3.1: 7.2 (HIGH)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | airflow_cncf_kubernetes | < 7.0.0 | Yes |