CVE-2023-33234

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-33234

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33234.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-33234

Aliases

GHSA-2rx4-9f5h-9gjf

Published

2023-05-30T11:15:09.553Z

Modified

2026-03-14T12:07:10.656612Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.

In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

References

https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33234.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "5.0.0"
            },
            {
                "fixed": "7.0.0"
            }
        ]
    }
]