We use cookies to improve your experience on our site.
AVID-2026-R1232
Description
Apache Airflow Spark Provider Arbitrary File Read via JDBC (CVE-2023-28710)
Details
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1.
Reason for inclusion in AVID: CVE-2023-28710 describes an arbitrary file read via JDBC in Apache Airflow Spark Provider (pre-4.0.1). This is a software vulnerability in a component commonly used to orchestrate data pipelines and prepare data for AI workflows. As such, it affects a dependency/stack element used to build, train, deploy, or run general-purpose AI systems, satisfying a software supply-chain issue relevant to AI stacks. The report provides explicit vulnerability behavior and references (NVD, PR), giving sufficient signal.
References
- NVD entry
- https://github.com/apache/airflow/pull/30223
- https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2
- http://www.openwall.com/lists/oss-security/2023/04/07/3
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow Spark Provider |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-20 | CWE-20 Improper Input Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-04-07
- Version: 0.3.3
- AVID Entry