Headline

CVE-2023-27604: Validate SqoopHook connection string and disable extra options from public hook methods by pankajkoti · Pull Request #33039 · apache/airflow

It is recommended to upgrade to a version that is not affected. This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.

1 year ago

CVE

Open in Source

#vulnerability #apache #rce #auth

Check that the connection string constructed using the connection’s
host, port and schema does not contain query params as it is
not intended. Additionally, also disable the extra_import_options
and extra_export_options arguments accepted directly by the hook
methods but accept it as a param via the hook constructor when
initialising the hook or by passing it in hook_params when initialising
the hook from operators.

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections. It is recommended to upgrade to a version that is not affected. This issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.

1 year ago

ghsa

Open in Source

#vulnerability #apache #git #rce #auth