[Medium Risk] Apache Airflow Drill Provider < 2.4.3 has an arbitrary file read vulnerability

News 2023-08-19 02:00:14 views: null

Vulnerability description

The Apache Airflow Drill Provider is a module in the Apache Airflow project that provides integration with the Apache Drill data engine.

In versions before 2.4.3, because the drill#create_engine method does not filter the url parameters passed in by users, attackers can construct malicious query parameters, and can read sensitive files on the Airflow server when establishing a connection with DrillHook.

Vulnerability name Arbitrary file read vulnerability in Apache Airflow Drill Provider < 2.4.3
Vulnerability type Improper input validation
Discovery time 2023/8/11
Vulnerability Breadth -
MPS number MPS-bv31-4lqj
CVE number CVE-2023-39553
CNVD number -

Sphere of influence

apache-airflow-providers-apache-drill@[1.0.0, 2.4.3)

Repair plan

The official patch has been released: https://github.com/apache/airflow/commit/fa2a54547d05258a98b253fbcb7ab8cd5049fc37

Upgrade apache-airflow-providers-apache-drill to 2.4.3 or later

reference link

https://www.oscs1024.com/hd/MPS-bv31-4lqj

https://nvd.nist.gov/vuln/detail/CVE-2023-39553

https://lists.apache.org/thread/ozpl0opmob49rkcz8svo8wkxyw1395sf

https://github.com/apache/airflow/commit/fa2a54547d05258a98b253fbcb7ab8cd5049fc37

About Murphy Security

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj

insert image description here

Guess you like

Origin blog.csdn.net/murphysec/article/details/132280152
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com