GHSA-4q2q-q5pw-2342

Suggest an improvement
Source
https://github.com/advisories/GHSA-4q2q-q5pw-2342
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4q2q-q5pw-2342/GHSA-4q2q-q5pw-2342.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4q2q-q5pw-2342
Aliases
  • CVE-2023-37415
Published
2023-07-13T09:30:28Z
Modified
2025-02-13T19:12:10.067118Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Airflow Apache Hive Provider Improper Input Validation vulnerability
Details

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.

Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon.

This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.

It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.

Database specific 
{
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-13T17:01:41Z",
    "nvd_published_at": "2023-07-13T08:15:10Z",
    "severity": "HIGH"
}
References

Affected packages

PyPI / apache-airflow-providers-apache-hive

Package

Name
apache-airflow-providers-apache-hive
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-apache-hive

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.2

Affected versions

1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
1.0.2rc1
1.0.2
1.0.3rc1
1.0.3
2.*
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc1
2.0.1rc2
2.0.1
2.0.2rc1
2.0.2
2.0.3rc1
2.0.3
2.1.0rc1
2.1.0
2.2.0rc1
2.2.0rc2
2.2.0
2.3.0rc1
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2
2.3.3rc1
2.3.3
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.1.0rc1
3.1.0
4.*
4.0.0rc1
4.0.0rc2
4.0.0rc3
4.0.0
4.0.1rc1
4.0.1
4.1.0rc1
4.1.0
4.1.1rc2
4.1.1rc3
4.1.1
5.*
5.0.0rc1
5.0.0
5.1.0rc1
5.1.0rc2
5.1.0
5.1.1rc1
5.1.1
5.1.2rc1
5.1.2
5.1.3rc1
5.1.3
6.*
6.0.0rc1
6.0.0
6.1.0rc1
6.1.0rc2
6.1.0
6.1.1rc1
6.1.1
6.1.2rc2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4q2q-q5pw-2342/GHSA-4q2q-q5pw-2342.json"