Apache Airflow patches multiple vulnerabilities affecting its packages

Apache Airflow vulnerability

Apache Airflow has published a security advisory to warn users about multiple security bugs affecting many of its packages. While the vulnerabilities are not rated as critical, they are still significant on their own and can be abused by malicious actors as part of exploit chains.

Apache Airflow is an open-source platform for developing, scheduling, and monitoring batch-oriented workflows. Airflow’s extensible Python framework enables you to build workflows connecting with virtually any technology. A web interface helps manage the state of your workflows. Airflow is deployable in many ways, varying from a single process on your laptop to a distributed setup to support even the biggest workflows.

The five flaws disclosed in Apache Airflow’s advisory are the following:

  • CVE-2023-25956 (Moderate severity): Apache Airflow AWS Provider: Arbitrary file read via AWS provider
    Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.
  • CVE-2023-25696 (Moderate severity): Apache Airflow Hive Provider Beeline RCE
    Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.
  • CVE-2023-25693 (Moderate severity): Apache Airflow Sqoop Provider Remote Code Execution
    Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
  • CVE-2023-25692 (Low severity): Apache Airflow Google Provider: Google Cloud Sql Provider Denial Of Service
    Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.
  • CVE-2023-25691 (Moderate severity): Apache Airflow Google Provider: Google Cloud Sql Provider Remote Command Execution
    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider: before 8.10.0.

Apache Airflow has released security updates that address the problems for most of the impacted versions. While these vulnerabilities are not critical, it is still strongly advised that users upgrade their devices as soon as possible.

Source: seclists