We use cookies to improve your experience on our site.
AVID-2026-R1209
Description
Apache Airflow Google Provider: Google Cloud Sql Provider Remote Command Execution (CVE-2023-25691)
Details
Improper Input Validation vulnerability in the Apache Airflow Google Provider.
This issue affects Apache Airflow Google Provider versions before 8.10.0.
Reason for inclusion in AVID: CVE-2023-25691 describes a remote code execution vulnerability due to improper input validation in the Apache Airflow Google Provider. Airflow is a widely used orchestration tool in ML/AI pipelines and deployment workflows, making this a software component relevant to AI systems' supply chains. It affects a dependency/runtime used to build/deploy/run AI workloads, not hardware/firmware. The vulnerability behavior (RCE) is clearly security-related, and the report provides explicit signal (CVE entry and related references).
References
- NVD entry
- https://github.com/apache/airflow/pull/29497
- https://lists.apache.org/thread/zdr8ovfttbh7kj0lydgcw88tbt2nmkcy
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow Google Provider |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-20 | CWE-20 Improper Input Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-02-24
- Version: 0.3.3
- AVID Entry