[High Risk] Apache Airflow Spark Provider Arbitrary File Read Vulnerability (CVE-2023-40272)

Vulnerability description

The Apache Airflow Spark Provider is a plugin for the Apache Airflow project to manage and schedule Apache Spark jobs in Airflow.

In the affected version, during the JDBC connection, since the conn_prefix parameter is not verified, it is allowed to input "?" to specify the parameter. The attacker can connect to the malicious mysql server controlled by the attacker through the construction parameter ?allowLoadLocalInfile=true, and read any file on Airflow.

Vulnerability name	Apache Airflow Spark Provider Arbitrary File Read Vulnerability
Vulnerability type	Improper input validation
Discovery time	2023/8/17
Vulnerability Breadth	generally
MPS number	MPS-w0kg-9vl7
CVE number	CVE-2023-40272
CNVD number	-

Sphere of influence

apache-airflow-providers-apache-spark@(-∞, 4.1.3)

Repair plan

Upgrade the component apache-airflow-providers-apache-spark to 4.1.3 or later

reference link

https://zhi.oscs1024.com/4856.html

https://www.oscs1024.com/hd/MPS-w0kg-9vl7

https://nvd.nist.gov/vuln/detail/CVE-2023-40272

https://github.com/apache/airflow/commit/4f83e831d2e6985b6c82b2e0c45673b58ef81074

https://github.com/apache/airflow/pull/32946

About Murphy Security

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-click repair.

Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.

Free Code Security Detection Tool: https://www.murphysec.com/?sf=qbyj

Free information subscription: https://www.oscs1024.com/cm/?sf=qbyj

Redis 7.2.0 was released, the most far-reaching version Chinese programmers refused to write gambling programs, 14 teeth were pulled out, and 88% of the whole body was damaged. Flutter 3.13 was released. System Initiative announced that all its software would be open source. The first large-scale independent App appeared , Grace changed its name to "Doubao" Spring 6.1 is compatible with virtual threads and JDK 21 Linux tablet StarLite 5: default Ubuntu, 12.5-inch Chrome 116 officially released Red Hat redeployed desktop Linux development, the main developer was transferred away Kubernetes 1.28 officially released

{{o.name}}

{{m.name}}