We use cookies to improve your experience on our site.
AVID-2026-R1226
Description
Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerability (CVE-2023-27604)
Details
Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import –connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.
It is recommended to upgrade to a version that is not affected. This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.
Reason for inclusion in AVID: CVE-2023-27604 describes an RCE vulnerability in Apache Airflow Sqoop Provider that can be exploited through crafted connection parameters. Airflow is widely used to orchestrate data pipelines, including AI/ML workflows; thus this is a software supply-chain vulnerability affecting components commonly used to build/run AI systems. It targets a software artifact (the Sqoop provider) and is a security risk (RCE) with evidence in the advisory.
References
- NVD entry
- https://github.com/apache/airflow/pull/33039
- https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow Sqoop Provider |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-20 | CWE-20 Improper Input Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-08-28
- Version: 0.3.3
- AVID Entry