← back
CVE-2023-22886

Apache Airflow JDBC Provider: RCE Vulnerability

CVSS 8.8 HIGHEPSS 1.1%CWE-20
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Airflow JDBC Provider

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://lists.apache.org/thread/ynbjwp4n0vzql0xzhog1gkp1ovncf8j3