CVE-2023-41267
N/A
N/A
Summary
In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow HDFS Provider | 0 < 4.1.1 | affected |
Weaknesses
- CWE-829: CWE-829 Inclusion of Functionality from Untrusted Control Sphere
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/apache/airflow/pull/33813
- https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z
- http://www.openwall.com/lists/oss-security/2023/09/14/3
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/apache/airflow/pull/33813
- https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z
- http://www.openwall.com/lists/oss-security/2023/09/14/3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.