[Medium Risk] Apache Airflow ODBC Provider Remote Code Execution Vulnerability

News 2023-07-21 02:23:10 views: null

 Vulnerability description

Apache Airflow is an open source task and workflow management platform, and ODBC Provider is a database management/plugin for Apache Airflow.

In the affected version of Apache Airflow ODBC Provider, since the odbc.py#driver method does not effectively filter the user-controllable ODBC driver parameters (driver), the attacker can pass in the extras parameter containing a malicious driver when instantiating the Hook object, and load and execute any dynamic link library in the system through the ODBC driver.

vulnerability name Apache Airflow ODBC Provider Remote Code Execution Vulnerability
Vulnerability type OS command injection
Discovery time 2023/6/27
Vulnerability Breadth wide
MPS number MPS-9tea-y3fh
CVE number  CVE-2023-34395
CNVD number -


Sphere of influence

apache-airflow-providers-odbc@[1.0.0, 4.0.0)

Repair plan

Upgrade apache-airflow-providers-odbc to version 4.0.0 and above

The official patch for filtering ODBC driver parameters has been released: https://github.com/apache/airflow/commit/517c498e17d3a449c9eab58830bcbf0b54b23991

reference link

https://www.oscs1024.com/hd/MPS-9tea-y3fh

https://github.com/apache/airflow/pull/31713

https://github.com/apache/airflow/commit/517c498e17d3a449c9eab58830bcbf0b54b23991

https://nvd.nist.gov/vuln/detail/CVE-2023-34395

About Murphy Security 

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from companies such as Baidu, Huawei, and Wuyun. The company provides customers with a complete software supply chain security management platform, and provides security management for the entire software life cycle around SBOM. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.

Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.

Free code security detection tool:  https://nvd.nist.gov/vuln/detail/CVE-2023-34395
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj


Guess you like

Origin blog.csdn.net/murphysec/article/details/131770769
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com