CVE-2023-34395
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in apache-airflow-providers-odbc (PyPI)
What is CVE-2023-34395 About?
This vulnerability is an argument injection flaw in the Apache Airflow ODBC Provider, specifically in the `OdbcHook` component before version 4.0.0. It allows for privilege escalation by leveraging controllable ODBC driver parameters to load arbitrary dynamic-link libraries, which can result in command execution. Exploitation relies on manipulating ODBC driver configuration and is likely of moderate complexity.
Affected Software
Technical Details
The vulnerability, categorized as Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'), affects the Apache Airflow ODBC Provider versions prior to 4.0.0. Specifically, within the OdbcHook component, there's a flaw where ODBC driver parameters are controllable without proper sanitization or neutralization of argument delimiters. This allows an attacker to inject malicious arguments or modify existing ones in a way that tricks the system into performing unintended actions. The core attack vector involves manipulating these parameters to enable the loading of arbitrary dynamic-link libraries (DLLs) onto the system. Once an attacker can control which DLLs are loaded, they can execute arbitrary commands with the privileges of the Airflow worker process, leading to privilege escalation.
What is the Impact of CVE-2023-34395?
Successful exploitation may allow attackers to achieve privilege escalation and execute arbitrary commands on the underlying system, leading to full system compromise, data theft, and denial-of-service.
What is the Exploitability of CVE-2023-34395?
Exploitation likely requires some level of access to configure or trigger tasks within Apache Airflow that utilize the OdbcHook. The complexity is moderate, as it involves understanding how to craft malicious ODBC driver parameters to achieve DLL loading and command execution. Authentication to the Airflow system is a prerequisite. The attacker would need privileges to create or modify DAGs or connections that use the ODBC Provider. This is a local vulnerability in the context of the Airflow environment, although the Airflow instance itself might be remotely accessible. Special conditions include the specific configuration of ODBC drivers and the ability to inject parameters. The risk factors are increased in environments where Airflow users have broad permissions to define ODBC connections or configure driver settings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34395?
Available Upgrade Options
- apache-airflow-providers-odbc
- <4.0.0 → Upgrade to 4.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd
- https://osv.dev/vulnerability/GHSA-9766-v29c-4vm7
- https://github.com/apache/airflow/pull/31713
- https://github.com/apache/airflow
- https://nvd.nist.gov/vuln/detail/CVE-2023-34395
- https://github.com/apache/airflow/commit/2844dad1c762f5c7dd1271866d3661bf66657300
- https://github.com/apache/airflow/pull/31713
- https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd
What are Similar Vulnerabilities to CVE-2023-34395?
Similar Vulnerabilities: CVE-2021-36760 , CVE-2020-13936 , CVE-2019-12403 , CVE-2018-1335 , CVE-2017-9791
