{"schema_version": "1.6.1", "id": "CVE-2023-27604", "summary": "Airflow Sqoop Provider RCE Vulnerability", "details": "Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.\n\n It is recommended to upgrade to a version that is not affected.\nThis issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "4.0.0"}]}]}], "references": [{"type": "WEB", "url": "https://github.com/apache/airflow/pull/33039"}, {"type": "WEB", "url": "https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd"}]}