CVE-2023-35798

CVE-2023-35798: Airflow Apache ODBC and MSSQL Providers Arbitrary File Read Vulnerability

Vendor Apache Software Foundation

Product Apache Airflow ODBC Provider

Weakness CWE-20 · Input validation

Published June 27, 2023

Last update October 7, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it. This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1. It is recommended to upgrade to a version that is not affected

Key dates

Disclosure timeline

June 27, 2023 CVE published

October 7, 2024 Record updated

Identifiers

CVE CVE-2023-35798

CWE CWE-20

Affected versions

Vendor Apache Software Foundation

Product Apache Airflow ODBC Provider

Affected < 4.0.0

Vendor Apache Software Foundation

Product Apache Airflow MSSQL Provider

Affected < 3.4.1