You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Jarek Potiuk <po...@apache.org> on 2023/01/21 00:50:27 UTC

CVE-2023-22884: Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow

Severity: important

Description:

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

Credit:

Son Tran from VNPT - VCI (reporter)

References:

https://github.com/apache/airflow/pull/28811
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-22884

Re: CVE-2023-22884: Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow

Posted by Jarek Potiuk <po...@apache.org>.

Also we want to credit id_No2015429 of 3H Security Team for his
reports for the same issue.

J.


On Mon, Jan 23, 2023 at 12:25 PM Jarek Potiuk <po...@apache.org> wrote:
>
> Also we want to credit id_No2015429 of 3H Security Team for his reports for the same issue.
>
> On Sat, Jan 21, 2023 at 1:51 AM Jarek Potiuk <po...@apache.org> wrote:
>>
>> Severity: important
>>
>> Description:
>>
>> Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.
>>
>> Credit:
>>
>> Son Tran from VNPT - VCI (reporter)
>>
>> References:
>>
>> https://github.com/apache/airflow/pull/28811
>> https://airflow.apache.org/
>> https://www.cve.org/CVERecord?id=CVE-2023-22884
>>

Re: CVE-2023-22884: Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow

Posted by Jarek Potiuk <po...@apache.org>.

Also we want to credit id_No2015429 of 3H Security Team for his reports for
the same issue.

On Sat, Jan 21, 2023 at 1:51 AM Jarek Potiuk <po...@apache.org> wrote:

> Severity: important
>
> Description:
>
> Improper Neutralization of Special Elements used in a Command ('Command
> Injection') vulnerability in Apache Software Foundation Apache Airflow,
> Apache Software Foundation Apache Airflow MySQL Provider.This issue affects
> Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.
>
> Credit:
>
> Son Tran from VNPT - VCI (reporter)
>
> References:
>
> https://github.com/apache/airflow/pull/28811
> https://airflow.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2023-22884
>
>