Vulnerability Description
In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow Hdfs Provider | < 4.1.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/09/14/3Mailing ListThird Party Advisory
- https://github.com/apache/airflow/pull/33813Patch
- https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7zMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/09/14/3Mailing ListThird Party Advisory
- https://github.com/apache/airflow/pull/33813Patch
- https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7zMailing ListVendor Advisory
FAQ
What is CVE-2023-41267?
CVE-2023-41267 is a vulnerability with a CVSS score of 7.8 (HIGH). In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could c...
How severe is CVE-2023-41267?
CVE-2023-41267 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-41267?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow Hdfs Provider.