We use cookies to improve your experience on our site.
AVID-2026-R1274
Description
Apache Airflow Spark Provider Arbitrary File Read via JDBC (CVE-2023-40272)
Details
Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.
Reason for inclusion in AVID: CVE-2023-40272 is an arbitrary file read vulnerability in Apache Airflow Spark Provider affecting deployment; Apache Airflow/Spark provider are commonly used in ML/AI pipelines, making this a software supply-chain issue relevant to AI systems. The vulnerability is security-related (unauthorized file read) and sufficient evidence is provided (CVE entry, affected versions, remediation).
References
- NVD entry
- https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtqmw6k1l7
- http://www.openwall.com/lists/oss-security/2023/08/17/1
- http://www.openwall.com/lists/oss-security/2023/08/18/1
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow Spark Provider |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-20 | CWE-20: Improper Input Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-08-17
- Version: 0.3.3
- AVID Entry