GHSA-ffj9-4crc-q7wf

Source

https://github.com/advisories/GHSA-ffj9-4crc-q7wf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-ffj9-4crc-q7wf/GHSA-ffj9-4crc-q7wf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ffj9-4crc-q7wf

Aliases

CVE-2023-28710

Published

2023-04-07T15:30:38Z

Modified

2023-11-08T04:12:14.332625Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Apache Airflow Spark Provider vulnerable to improper input validation

Details

Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain / and ? which is used to denote the end of the field.

Database specific

{
    "nvd_published_at": "2023-04-07T15:15:00Z",
    "github_reviewed_at": "2023-04-07T22:22:39Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

PyPI / apache-airflow-providers-apache-spark

Package

Name: apache-airflow-providers-apache-spark; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow-providers-apache-spark

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.1

Affected versions

1.*

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

1.0.1rc1

1.0.1

1.0.2rc1

1.0.2

1.0.3rc1

1.0.3

2.*

2.0.0rc1

2.0.0rc2

2.0.0

2.0.1rc1

2.0.1

2.0.2rc1

2.0.2

2.0.3rc1

2.0.3

2.1.0rc1

2.1.0rc2

2.1.0

2.1.1rc1

2.1.1

2.1.2rc1

2.1.2

2.1.3rc1

2.1.3

3.*

3.0.0rc1

3.0.0rc2

3.0.0

4.*

4.0.0rc1

4.0.0

4.0.1rc1