CVE-2023-33234
Last modified
CVE-2023-33234 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. . EPSS estimates a 1.53% chance of exploitation in the next 30 days.
Description
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow Cncf Kubernetes | >= 5.0.0, < 7.0.0 |
References
- https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnqMailing List, Vendor Advisory
- https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnqMailing List, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-33234?
How severe is CVE-2023-33234?
How do I fix CVE-2023-33234?
Are you affected by CVE-2023-33234?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST