Vulnerability description
Apache Airflow is an open source task and workflow management platform, and ODBC Provider is a database management/plugin for Apache Airflow.
In the affected version of Apache Airflow ODBC Provider, since the odbc.py#driver method does not effectively filter the user-controllable ODBC driver parameters (driver), the attacker can pass in the extras parameter containing a malicious driver when instantiating the Hook object, and load and execute any dynamic link library in the system through the ODBC driver.
vulnerability name | Apache Airflow ODBC Provider Remote Code Execution Vulnerability |
---|---|
Vulnerability type | OS command injection |
Discovery time | 2023/6/27 |
Vulnerability Breadth | wide |
MPS number | MPS-9tea-y3fh |
CVE number | CVE-2023-34395 |
CNVD number | - |
Sphere of influence
apache-airflow-providers-odbc@[1.0.0, 4.0.0)
Repair plan
Upgrade apache-airflow-providers-odbc to version 4.0.0 and above
The official patch for filtering ODBC driver parameters has been released: https://github.com/apache/airflow/commit/517c498e17d3a449c9eab58830bcbf0b54b23991
reference link
https://www.oscs1024.com/hd/MPS-9tea-y3fh
https://github.com/apache/airflow/pull/31713
https://github.com/apache/airflow/commit/517c498e17d3a449c9eab58830bcbf0b54b23991
https://nvd.nist.gov/vuln/detail/CVE-2023-34395
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from companies such as Baidu, Huawei, and Wuyun. The company provides customers with a complete software supply chain security management platform, and provides security management for the entire software life cycle around SBOM. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://nvd.nist.gov/vuln/detail/CVE-2023-34395
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj