We use cookies to improve your experience on our site.
AVID-2026-R1231
Description
Apache Airflow Hive Provider Beeline Remote Command Execution (CVE-2023-28706)
Details
Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 6.0.0.
Reason for inclusion in AVID: CVE-2023-28706 describes a code injection (CWE-94) vulnerability in Apache Airflow Hive Provider that can lead to remote code execution. Airflow and its providers are commonly used to orchestrate AI/ML pipelines and data processing tasks, making this a software component frequently involved in AI system stacks. As it affects a dependency/orchestration component used to build, deploy, or run AI workflows, it qualifies as a software supply-chain issue in general-purpose AI systems. The vulnerability is clearly security-related and well-supported by the CVE entry and references.
References
- NVD entry
- https://github.com/apache/airflow/pull/30212
- https://lists.apache.org/thread/dl20xxd51xvlx0zzc0wzgxfjwgtbbxo3
- http://www.openwall.com/lists/oss-security/2023/04/07/2
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow Hive Provider |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code (‘Code Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-04-07
- Version: 0.3.3
- AVID Entry