You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@airflow.apache.org by Elad Kalif <el...@apache.org> on 2023/05/26 19:54:53 UTC
CVE-2023-33234: Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
Severity: low
Affected versions:
- Apache Airflow CNCF Kubernetes Provider 5.0.0 through 6.1.0
Description:
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.
In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
References:
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-33234
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@airflow.apache.org
For additional commands, e-mail: users-help@airflow.apache.org