Headline
GHSA-2rx4-9f5h-9gjf: Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.
In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-33234
Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
High severity GitHub Reviewed Published Jul 6, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023
Package
pip apache-airflow-providers-cncf-kubernetes (pip)
Affected versions
>= 5.0.0, < 7.0.0
Published to the GitHub Advisory Database
Jul 6, 2023
Related news
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.