Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.
In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
Metrics
Affected Vendors & Products
References
History
Thu, 10 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2023-05-30T10:56:56.139Z
Updated: 2024-10-10T14:29:26.536Z
Reserved: 2023-05-18T19:15:07.833Z
Link: CVE-2023-33234
Vulnrichment
Updated: 2024-08-02T15:39:35.691Z
NVD
Status : Modified
Published: 2023-05-30T11:15:09.553
Modified: 2024-11-21T08:05:12.210
Link: CVE-2023-33234
Redhat
No data.