GHSA-5cvg-9pp5-mxcj

Source

https://github.com/advisories/GHSA-5cvg-9pp5-mxcj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-5cvg-9pp5-mxcj/GHSA-5cvg-9pp5-mxcj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5cvg-9pp5-mxcj

Aliases

CVE-2023-28706

Published

2023-04-07T15:30:38Z

Modified

2023-11-08T04:12:14.087623Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Airflow Hive Provider vulnerable to code injection

Details

Apache Software Foundation's Apache Airflow Hive Provider before 6.0.0 is vulnerable to improper control of generation of code.

Database specific

{
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2023-04-07T22:23:40Z",
    "nvd_published_at": "2023-04-07T15:15:00Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

PyPI / apache-airflow-providers-apache-hive

Package

Name: apache-airflow-providers-apache-hive; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow-providers-apache-hive

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.0

Affected versions

1.*

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

1.0.1rc1

1.0.1

1.0.2rc1

1.0.2

1.0.3rc1

1.0.3

2.*

2.0.0rc1

2.0.0rc2

2.0.0

2.0.1rc1

2.0.1rc2

2.0.1

2.0.2rc1

2.0.2

2.0.3rc1

2.0.3

2.1.0rc1

2.1.0

2.2.0rc1

2.2.0rc2

2.2.0

2.3.0rc1

2.3.0

2.3.1rc1

2.3.1

2.3.2rc1

2.3.2

2.3.3rc1

2.3.3

3.*

3.0.0rc1

3.0.0rc2

3.0.0

3.1.0rc1

3.1.0

4.*

4.0.0rc1

4.0.0rc2

4.0.0rc3

4.0.0

4.0.1rc1

4.0.1

4.1.0rc1

4.1.0

4.1.1rc2

4.1.1rc3

4.1.1

5.*

5.0.0rc1

5.0.0

5.1.0rc1

5.1.0rc2

5.1.0

5.1.1rc1

5.1.1

5.1.2rc1

5.1.2

5.1.3rc1

5.1.3

6.*

6.0.0rc1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-5cvg-9pp5-mxcj/GHSA-5cvg-9pp5-mxcj.json"