Headline
CVE-2023-34395: Disable setting ODBC driver via extra by default by potiuk · Pull Request #31713 · apache/airflow
Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.
Conversation
potiuk changed the title Only allow to set driver via Hook constructor parameters Disable setting ODBC driver via extra by default
Jun 5, 2023
By default setting driver via extra is disabled by default but we have several more ways to set it.
potiuk deleted the remove-driver-extra-odbc branch
June 6, 2023 11:41
dstandish added a commit that referenced this pull request
Jun 7, 2023
…1754)
Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.
syedahsn pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request
Jun 7, 2023
By default setting driver via extra is disabled by default but we have several more ways to set it.
eladkal pushed a commit that referenced this pull request
Jun 8, 2023
…1754)
Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.
(cherry picked from commit 438ba41)
eladkal pushed a commit that referenced this pull request
Jun 9, 2023
…1754)
Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.
(cherry picked from commit 438ba41)
eladkal pushed a commit that referenced this pull request
Jun 9, 2023
…1754)
Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.
(cherry picked from commit 438ba41)
eladkal pushed a commit that referenced this pull request
Jun 9, 2023
…1754)
Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.
(cherry picked from commit 438ba41)
potiuk pushed a commit that referenced this pull request
Jun 9, 2023
…1754)
Refines #31713, which disabled (by default) setting driver through extra. Here we make it so that the flag to enable is located in airflow config instead of hook param.
(cherry picked from commit 438ba41)
Related news
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.