CVE-2023-33234

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.

In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

Published: May 30, 2023
Updated: May 9, 2024
CVE: CVE-2023-33234
GHSA: GHSA-2rx4-9f5h-9gjf
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
apache / airflow_cncf_kubernetes	5.0.0	7.0.0
apache-airflow-providers-cncf-kubernetes	5.0.0	7.0.0

https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq

Vulnerability Database

CVE-2023-33234