← Back to CVEs
CVE-2023-33234
HIGH7.2
Description
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
CVE Details
CVSS v3.1 Score7.2
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionNONE
Published5/30/2023
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
apache:airflow_cncf_kubernetes
Weaknesses (CWE)
CWE-74
References
https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq(security@apache.org)
https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.