You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@airflow.apache.org by Elad Kalif <el...@apache.org> on 2023/05/26 19:54:53 UTC

CVE-2023-33234: Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

Severity: low

Affected versions:

- Apache Airflow CNCF Kubernetes Provider 5.0.0 through 6.1.0

Description:

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.

In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner.  Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-33234


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@airflow.apache.org
For additional commands, e-mail: users-help@airflow.apache.org