CVE-2023-35798

CVE Database · CVE-2023-35798

CVE-2023-35798

· MEDIUMModified

CVSS v3.1

4.3

EPSS

0.94%

Published

Jun 27, 2023

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it. This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1. It is recommended to upgrade to a version that is not affected

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-20

Affected Products (2)

apache · apache-airflow-providers-microsoft-mssql (up to 3.4.1)vulnerable

apache · apache-airflow-providers-odbc (up to 4.0.0)vulnerable

References (4)

https://github.com/apache/airflow/pull/31984

PatchVendor Advisory

https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj

Mailing ListVendor Advisory

https://github.com/apache/airflow/pull/31984

PatchVendor Advisory

https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj

Mailing ListVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs