Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-35797

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. For this to be exploited it requires access to modifying the connection details. It is recommended updating provider version to 6.1.1 in order to avoid this vulnerability.

Published

2023-07-03T10:15:09.473

Last Modified

2025-02-13T17:16:40.277

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	apache-airflow-providers-apache-hive	< 6.1.1	Yes

References

http://www.openwall.com/lists/oss-security/2023/07/12/3 ([email protected])
https://github.com/apache/airflow/pull/31983 Patch ([email protected])
https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2023/07/12/3 (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/apache/airflow/pull/31983 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)