CVE-2023-33234

Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

CVSS 7.2 HIGHEPSS 1.5%CWE-74

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.2EPSS 1.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

30 May 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

Apache Software Foundation · Apache Airflow CNCF Kubernetes Provider

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq