Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34395: Disable setting ODBC driver via extra by default by potiuk · Pull Request #31713 · apache/airflow

Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.

CVE
#vulnerability#apache#aws

Conversation

potiuk changed the title Only allow to set driver via Hook constructor parameters Disable setting ODBC driver via extra by default

Jun 5, 2023

By default setting driver via extra is disabled by default but we have several more ways to set it.

potiuk deleted the remove-driver-extra-odbc branch

June 6, 2023 11:41

dstandish added a commit that referenced this pull request

Jun 7, 2023

…1754)

Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.

syedahsn pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request

Jun 7, 2023

By default setting driver via extra is disabled by default but we have several more ways to set it.

eladkal pushed a commit that referenced this pull request

Jun 8, 2023

…1754)

Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.

(cherry picked from commit 438ba41)

eladkal pushed a commit that referenced this pull request

Jun 9, 2023

…1754)

Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.

(cherry picked from commit 438ba41)

eladkal pushed a commit that referenced this pull request

Jun 9, 2023

…1754)

Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.

(cherry picked from commit 438ba41)

eladkal pushed a commit that referenced this pull request

Jun 9, 2023

…1754)

Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.

(cherry picked from commit 438ba41)

potiuk pushed a commit that referenced this pull request

Jun 9, 2023

…1754)

Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.

(cherry picked from commit 438ba41)

Related news

GHSA-9766-v29c-4vm7: Apache Airflow ODBC Provider Argument Injection vulnerability

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907