CVE-2023-35798
Input Validation vulnerability vulnerability in apache-airflow-providers-odbc (PyPI)
What is CVE-2023-35798 About?
This vulnerability is an Input Validation flaw in Apache Airflow ODBC Provider (before 4.0.0) and MSSQL Provider (before 3.4.1). It could allow for malicious actions, but exploitation is considered low risk as it requires specific DAG code use and compromised connection resources. The ease of exploitation is low due to these prerequisites.
Affected Software
- apache-airflow-providers-odbc
- <4.0.0
- apache-airflow-providers-microsoft-mssql
- <3.4.1
Technical Details
The Input Validation vulnerability exists within the Apache Airflow ODBC Provider and MSSQL Provider. If DAG code explicitly uses the get_sqlalchemy_connection method, and an attacker with access to connection resources is able to modify the database connection parameters to include malicious input, the lack of proper input validation can lead to unintended code execution or other undesirable effects. The flaw allows for the injection of unsanitized input into parameters intended for database connections, which could be leveraged to execute commands or manipulate data when the application attempts to establish the connection.
What is the Impact of CVE-2023-35798?
Successful exploitation may allow attackers to execute arbitrary commands, disclose sensitive information, or manipulate database connections, potentially leading to unauthorized data access or system compromise.
What is the Exploitability of CVE-2023-35798?
Exploitation of this vulnerability has low complexity due to significant prerequisites. It requires the existence of DAG code that specifically uses the get_sqlalchemy_connection function. Additionally, an attacker must have sufficient privileges to access and modify connection resources within Apache Airflow. This implies a level of internal access or compromise already. Exploitation would typically be local or require prior authenticated access to modify configurations. The special condition is the specific DAG code usage and the attacker's ability to manipulate connection settings. Risk factors increasing likelihood include lax access control over Airflow connection configurations and custom DAGs utilizing the specific vulnerable function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-35798?
Available Upgrade Options
- apache-airflow-providers-odbc
- <4.0.0 → Upgrade to 4.0.0
- apache-airflow-providers-microsoft-mssql
- <3.4.1 → Upgrade to 3.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-q57w-826p-46jr
- https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj
- https://nvd.nist.gov/vuln/detail/CVE-2023-35798
- https://github.com/apache/airflow/pull/31984
- https://github.com/apache/airflow/pull/31984
- https://github.com/apache/airflow
- https://github.com/apache/airflow/commit/b6836986846058e9e5fa271fb7b22ae721020787
- https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj
What are Similar Vulnerabilities to CVE-2023-35798?
Similar Vulnerabilities: CVE-2020-13943 , CVE-2021-22125 , CVE-2021-3998 , CVE-2022-29864 , CVE-2022-40112
