CVE-2023-37415 - OpenCVE

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Apache-airflow-providers-apache-hive

Configuration 1 [-]

cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/07/12/3	Mailing List Third Party Advisory
https://lists.apache.org/thread/9wx0jlckbnycjh8nj5qfwxo423zvm41k	Mailing List Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-07-13T07:35:33.474Z

Updated: 2023-07-13T07:35:33.474Z

Reserved: 2023-07-05T16:59:36.017Z

Link: CVE-2023-37415

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-13T08:15:10.767

Modified: 2023-07-25T14:51:35.160

Link: CVE-2023-37415

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-37415", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-07-05T16:59:36.017Z", "datePublished": "2023-07-13T07:35:33.474Z", "dateUpdated": "2023-07-13T07:35:33.474Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Airflow Apache Hive Provider", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.1.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Son Tran from VNPT - VCI"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.<br><br>Patching on top of CVE-2023-35797<br><p>Before 6.1.2<span style=\"background-color: rgb(255, 255, 255);\"> the proxy_user option can also inject semicolon.<br></span><br>This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.<br><br></p><p>It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.</p><p></p>"}], "value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.\n\nPatching on top of CVE-2023-35797\nBefore\u00a06.1.2\u00a0the proxy_user option can also inject semicolon.\n\nThis issue affects Apache Airflow Apache Hive Provider: before 6.1.2.\n\nIt is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-13T07:35:33.474Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/9wx0jlckbnycjh8nj5qfwxo423zvm41k"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}