{"schema_version": "1.6.1", "id": "CVE-2023-34395", "summary": "Remote code execution vulnerability", "details": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.\nIn OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.\nStarting version 4.0.0 driver can be set only from the hook constructor.\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0.\n\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "4.0.0"}]}]}], "references": [{"type": "WEB", "url": "https://github.com/apache/airflow/pull/31713"}, {"type": "WEB", "url": "https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd"}]}