{"schema_version": "1.6.1", "id": "CVE-2023-40272", "summary": "Apache Airflow Spark Provider Arbitrary File Read via JDBC", "details": "Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server.\nIt is recommended to upgrade to a version that is not affected.\n\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "4.1.3"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtqmw6k1l7"}]}