CVE-2023-47265
Symlink Attack vulnerability in apache-airflow (PyPI)
What is CVE-2023-47265 About?
This vulnerability is a symlink attack affecting Spring Boot versions 1.5.9 and earlier, and 2.0.0.M1 through 2.0.0.M7, when using the embedded launch script as a systemd or init.d service. It allows the 'run_user' to overwrite and take ownership of arbitrary files on the system. Exploitation requires the application to be installed as a service and the run_user to have shell access.
Affected Software
Technical Details
The embedded launch script in Spring Boot, designed to run applications as systemd or init.d services, is vulnerable to a symlink attack. When the service is started or stopped, the launch script performs operations (e.g., creating temporary files or log files) with insufficient precautions regarding existing symlinks. An attacker, operating as the run_user (the user account under which the service runs) and having shell access to the server, can create a symbolic link from a predictable temporary file path to an arbitrary target file on the filesystem. When the Spring Boot service then attempts to write to or modify the temporary file (which is now a symlink), it inadvertently performs this operation on the attacker-controlled target file. This can lead to overwriting critical system files, altering permissions, or taking ownership of files, as the script executes with the privileges of the run_user.
What is the Impact of CVE-2023-47265?
Successful exploitation may allow attackers to overwrite and take ownership of arbitrary files on the system, potentially leading to privilege escalation, denial of service, data corruption, or full system compromise.
What is the Exploitability of CVE-2023-47265?
Exploitation of this symlink attack is complex. It requires the Spring Boot application to be installed as a systemd or init.d service and, critically, for the attacker to have shell access as the 'run_user' assigned to that service. This implies prior authentication and local access to the server. The attacker needs to precisely time the creation of the symlink to coincide with the service's file operations (e.g., during startup or shutdown). Privilege requirements are those of the 'run_user'. This is a local exploitation scenario. The likelihood of exploitation increases if the 'run_user' has an exposed shell or if other vulnerabilities allow an attacker to gain shell access as that user. Applications not installed as services or not using the embedded launch script are not vulnerable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-47265?
Available Upgrade Options
- apache-airflow
- >2.6.0, <2.8.0b1 → Upgrade to 2.8.0b1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-264.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2023-47265
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/GHSA-pxch-wr7m-rwxj
- https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr
- https://github.com/apache/airflow/commit/0b995602e6e5894ee31625a4dd0e6aa255d2a651
- https://github.com/apache/airflow/pull/35460
- http://www.openwall.com/lists/oss-security/2023/12/21/2
- https://github.com/apache/airflow/pull/35460
- https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr
What are Similar Vulnerabilities to CVE-2023-47265?
Similar Vulnerabilities: CVE-2023-34040 , CVE-2022-42890 , CVE-2021-41903 , CVE-2020-16166 , CVE-2019-12415
