Base Score

HIGH8.8

CVE-2023-22886

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0.

VectorNETWORK

Published Bysecurity@apache.org

Published DateJun 29, 2023, 10:15

Affected Versions(1)

apache-airflow-providers-jdbc(PyPI)

Introduced0

Fixed4.0.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
apache-airflow-providers-jdbc(PyPI)	0	4.0.0	N/A

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://lists.apache.org/thread/ynbjwp4n0vzql0xzhog1gkp1ovncf8j3

Base Score

HIGH8.8

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH