CVE-2023-40272

CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC

Vendor Apache Software Foundation

Product Apache Airflow Spark Provider

Weakness CWE-20 · Input validation

Published August 17, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.

Key dates

Disclosure timeline

August 17, 2023 CVE published

February 13, 2025 Record updated