Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner.  Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
History

Thu, 10 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-05-30T10:56:56.139Z

Updated: 2024-10-10T14:29:26.536Z

Reserved: 2023-05-18T19:15:07.833Z

Link: CVE-2023-33234

cve-icon Vulnrichment

Updated: 2024-08-02T15:39:35.691Z

cve-icon NVD

Status : Modified

Published: 2023-05-30T11:15:09.553

Modified: 2024-10-10T15:35:07.983

Link: CVE-2023-33234

cve-icon Redhat

No data.