Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for apache-airflow-providers-apache-hive by apache
CVE-2023-37415 (GCVE-0-2023-37415)
Vulnerability from cvelistv5 – Published: 2023-07-13 07:35 – Updated: 2025-02-13 17:01
VLAI
Title
Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user
Summary
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.
Patching on top of CVE-2023-35797
Before 6.1.2 the proxy_user option can also inject semicolon.
This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.
It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Apache Hive Provider |
Affected:
0 , < 6.1.2
(semver)
|
|
| apache | apache-airflow-providers-apache-hive |
Affected:
0 , < 6.1.2
(custom)
cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:29.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/9wx0jlckbnycjh8nj5qfwxo423zvm41k"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-apache-hive",
"vendor": "apache",
"versions": [
{
"lessThan": "6.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-37415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T13:51:20.544090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T13:53:03.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Apache Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "6.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Son Tran from VNPT - VCI"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.\u003cbr\u003e\u003cbr\u003ePatching on top of CVE-2023-35797\u003cbr\u003e\u003cp\u003eBefore\u0026nbsp;6.1.2\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;the proxy_user option can also inject semicolon.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow Apache Hive Provider: before 6.1.2.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eIt is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.\n\nPatching on top of CVE-2023-35797\nBefore\u00a06.1.2\u00a0the proxy_user option can also inject semicolon.\n\nThis issue affects Apache Airflow Apache Hive Provider: before 6.1.2.\n\nIt is recommended updating provider version to 6.1.2 in order to avoid this vulnerability."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T22:07:19.856Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/9wx0jlckbnycjh8nj5qfwxo423zvm41k"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-37415",
"datePublished": "2023-07-13T07:35:33.474Z",
"dateReserved": "2023-07-05T16:59:36.017Z",
"dateUpdated": "2025-02-13T17:01:18.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35797 (GCVE-0-2023-35797)
Vulnerability from cvelistv5 – Published: 2023-07-03 09:08 – Updated: 2025-02-13 16:55
VLAI
Title
Apache Airflow Hive Provider Beeline RCE with Principal
Summary
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.
This issue affects Apache Airflow Apache Hive Provider: before 6.1.1.
Before version 6.1.1 it was possible to bypass the security check to RCE via
principal parameter. For this to be exploited it requires access to modifying the connection details.
It is recommended updating provider version to 6.1.1 in order to avoid this vulnerability.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Apache Hive Provider |
Affected:
0 , < 6.1.1
(semver)
|
|
| apache | apache-airflow-providers-apache-hive |
Affected:
0 , < 6.1.1
(custom)
cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31983"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-apache-hive",
"vendor": "apache",
"versions": [
{
"lessThan": "6.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-35797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:27:39.439056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:29:34.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Apache Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "6.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow Apache Hive Provider: before 6.1.1.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBefore version 6.1.1 it was\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003epossible to bypass the security check to RCE via\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprincipal parameter. For this to be\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploited it requires access to modifying the connection details.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eIt is recommended updating provider version to 6.1.1 in order to avoid this\u0026nbsp;vulnerability.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.\nThis issue affects Apache Airflow Apache Hive Provider: before 6.1.1.\n\nBefore version 6.1.1 it was\u00a0possible to bypass the security check to RCE via\nprincipal parameter. For this to be\u00a0exploited it requires access to modifying the connection details.\n\nIt is recommended updating provider version to 6.1.1 in order to avoid this\u00a0vulnerability."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T22:07:18.438Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31983"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Hive Provider Beeline RCE with Principal",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35797",
"datePublished": "2023-07-03T09:08:53.795Z",
"dateReserved": "2023-06-17T19:36:58.422Z",
"dateUpdated": "2025-02-13T16:55:55.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25696 (GCVE-0-2023-25696)
Vulnerability from cvelistv5 – Published: 2023-02-24 11:48 – Updated: 2024-10-23 19:10
VLAI
Title
Apache Airflow Hive Provider Beeline RCE
Summary
Improper Input Validation vulnerability in the Apache Airflow Hive Provider.
This issue affects Apache Airflow Hive Provider versions before 5.1.3.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/29502 | patch |
| https://lists.apache.org/thread/99g0qm56wmgdxmbtd… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Hive Provider |
Affected:
0 , < 5.1.3
(semver)
|
|
| apache | apache-airflow-providers-apache-hive |
Affected:
0 , < 5.1.3
(custom)
cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:11.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/29502"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/99g0qm56wmgdxmbtdsvhj4rdnxhpzpml"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-apache-hive",
"vendor": "apache",
"versions": [
{
"lessThan": "5.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T19:09:50.718620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T19:10:47.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "5.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in the Apache Airflow Hive Provider.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow Hive Provider versions before 5.1.3.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in the Apache Airflow Hive Provider.\n\nThis issue affects Apache Airflow Hive Provider versions before 5.1.3.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-24T11:48:21.189Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/29502"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/99g0qm56wmgdxmbtdsvhj4rdnxhpzpml"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Hive Provider Beeline RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25696",
"datePublished": "2023-02-24T11:48:21.189Z",
"dateReserved": "2023-02-13T02:07:50.225Z",
"dateUpdated": "2024-10-23T19:10:47.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46421 (GCVE-0-2022-46421)
Vulnerability from cvelistv5 – Published: 2022-12-20 10:20 – Updated: 2025-04-16 18:10
VLAI
Title
Apache Airflow Hive Provider: Hive Provider RCE vulnerability with hive_cli_params
Summary
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/28101 | patch |
| https://lists.apache.org/thread/09twdoyoybldlfj5g… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Hive Provider |
Affected:
0 , < 5.0.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:46.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/28101"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/09twdoyoybldlfj5gvk0qswtofh0rmp4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T18:10:03.303358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T18:10:28.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow Hive Provider.\u003cp\u003eThis issue affects Apache Airflow Hive Provider: before 5.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-20T10:20:39.431Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/28101"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/09twdoyoybldlfj5gvk0qswtofh0rmp4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Airflow Hive Provider: Hive Provider RCE vulnerability with hive_cli_params",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46421",
"datePublished": "2022-12-20T10:20:39.431Z",
"dateReserved": "2022-12-04T22:42:18.098Z",
"dateUpdated": "2025-04-16T18:10:28.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41131 (GCVE-0-2022-41131)
Vulnerability from cvelistv5 – Published: 2022-11-22 00:00 – Updated: 2025-04-29 15:11
VLAI
Title
Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)
Summary
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Hive Provider |
Affected:
unspecified , < 4.1.0
(custom)
|
|
| Apache Software Foundation | Apache Airflow |
Affected:
2.3.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:35:49.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/27647"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/wwo3qp0z8gv54yzn7hr04wy4n8gb0vhl"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-41131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:11:00.216562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:11:16.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Airflow Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for reporting the issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed)."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://github.com/apache/airflow/pull/27647"
},
{
"url": "https://lists.apache.org/thread/wwo3qp0z8gv54yzn7hr04wy4n8gb0vhl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-41131",
"datePublished": "2022-11-22T00:00:00.000Z",
"dateReserved": "2022-09-19T00:00:00.000Z",
"dateUpdated": "2025-04-29T15:11:16.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37415 (GCVE-0-2023-37415)
Vulnerability from nvd – Published: 2023-07-13 07:35 – Updated: 2025-02-13 17:01
VLAI
Title
Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user
Summary
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.
Patching on top of CVE-2023-35797
Before 6.1.2 the proxy_user option can also inject semicolon.
This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.
It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Apache Hive Provider |
Affected:
0 , < 6.1.2
(semver)
|
|
| apache | apache-airflow-providers-apache-hive |
Affected:
0 , < 6.1.2
(custom)
cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:29.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/9wx0jlckbnycjh8nj5qfwxo423zvm41k"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-apache-hive",
"vendor": "apache",
"versions": [
{
"lessThan": "6.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-37415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T13:51:20.544090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T13:53:03.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Apache Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "6.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Son Tran from VNPT - VCI"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.\u003cbr\u003e\u003cbr\u003ePatching on top of CVE-2023-35797\u003cbr\u003e\u003cp\u003eBefore\u0026nbsp;6.1.2\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;the proxy_user option can also inject semicolon.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache Airflow Apache Hive Provider: before 6.1.2.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eIt is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.\n\nPatching on top of CVE-2023-35797\nBefore\u00a06.1.2\u00a0the proxy_user option can also inject semicolon.\n\nThis issue affects Apache Airflow Apache Hive Provider: before 6.1.2.\n\nIt is recommended updating provider version to 6.1.2 in order to avoid this vulnerability."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T22:07:19.856Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/9wx0jlckbnycjh8nj5qfwxo423zvm41k"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-37415",
"datePublished": "2023-07-13T07:35:33.474Z",
"dateReserved": "2023-07-05T16:59:36.017Z",
"dateUpdated": "2025-02-13T17:01:18.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35797 (GCVE-0-2023-35797)
Vulnerability from nvd – Published: 2023-07-03 09:08 – Updated: 2025-02-13 16:55
VLAI
Title
Apache Airflow Hive Provider Beeline RCE with Principal
Summary
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.
This issue affects Apache Airflow Apache Hive Provider: before 6.1.1.
Before version 6.1.1 it was possible to bypass the security check to RCE via
principal parameter. For this to be exploited it requires access to modifying the connection details.
It is recommended updating provider version to 6.1.1 in order to avoid this vulnerability.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Apache Hive Provider |
Affected:
0 , < 6.1.1
(semver)
|
|
| apache | apache-airflow-providers-apache-hive |
Affected:
0 , < 6.1.1
(custom)
cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/31983"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-apache-hive",
"vendor": "apache",
"versions": [
{
"lessThan": "6.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-35797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T18:27:39.439056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T18:29:34.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Apache Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "6.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow Apache Hive Provider: before 6.1.1.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBefore version 6.1.1 it was\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003epossible to bypass the security check to RCE via\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprincipal parameter. For this to be\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexploited it requires access to modifying the connection details.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eIt is recommended updating provider version to 6.1.1 in order to avoid this\u0026nbsp;vulnerability.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.\nThis issue affects Apache Airflow Apache Hive Provider: before 6.1.1.\n\nBefore version 6.1.1 it was\u00a0possible to bypass the security check to RCE via\nprincipal parameter. For this to be\u00a0exploited it requires access to modifying the connection details.\n\nIt is recommended updating provider version to 6.1.1 in order to avoid this\u00a0vulnerability."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T22:07:18.438Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/31983"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1y"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Hive Provider Beeline RCE with Principal",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-35797",
"datePublished": "2023-07-03T09:08:53.795Z",
"dateReserved": "2023-06-17T19:36:58.422Z",
"dateUpdated": "2025-02-13T16:55:55.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25696 (GCVE-0-2023-25696)
Vulnerability from nvd – Published: 2023-02-24 11:48 – Updated: 2024-10-23 19:10
VLAI
Title
Apache Airflow Hive Provider Beeline RCE
Summary
Improper Input Validation vulnerability in the Apache Airflow Hive Provider.
This issue affects Apache Airflow Hive Provider versions before 5.1.3.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/29502 | patch |
| https://lists.apache.org/thread/99g0qm56wmgdxmbtd… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Hive Provider |
Affected:
0 , < 5.1.3
(semver)
|
|
| apache | apache-airflow-providers-apache-hive |
Affected:
0 , < 5.1.3
(custom)
cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:11.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/29502"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/99g0qm56wmgdxmbtdsvhj4rdnxhpzpml"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-apache-hive:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-apache-hive",
"vendor": "apache",
"versions": [
{
"lessThan": "5.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T19:09:50.718620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T19:10:47.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "5.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Secruity Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in the Apache Airflow Hive Provider.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow Hive Provider versions before 5.1.3.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in the Apache Airflow Hive Provider.\n\nThis issue affects Apache Airflow Hive Provider versions before 5.1.3.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-24T11:48:21.189Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/29502"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/99g0qm56wmgdxmbtdsvhj4rdnxhpzpml"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Hive Provider Beeline RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25696",
"datePublished": "2023-02-24T11:48:21.189Z",
"dateReserved": "2023-02-13T02:07:50.225Z",
"dateUpdated": "2024-10-23T19:10:47.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46421 (GCVE-0-2022-46421)
Vulnerability from nvd – Published: 2022-12-20 10:20 – Updated: 2025-04-16 18:10
VLAI
Title
Apache Airflow Hive Provider: Hive Provider RCE vulnerability with hive_cli_params
Summary
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/28101 | patch |
| https://lists.apache.org/thread/09twdoyoybldlfj5g… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Hive Provider |
Affected:
0 , < 5.0.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:46.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/28101"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/09twdoyoybldlfj5gvk0qswtofh0rmp4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T18:10:03.303358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T18:10:28.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "id_No2015429 of 3H Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow Hive Provider.\u003cp\u003eThis issue affects Apache Airflow Hive Provider: before 5.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-20T10:20:39.431Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/28101"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/09twdoyoybldlfj5gvk0qswtofh0rmp4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Airflow Hive Provider: Hive Provider RCE vulnerability with hive_cli_params",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46421",
"datePublished": "2022-12-20T10:20:39.431Z",
"dateReserved": "2022-12-04T22:42:18.098Z",
"dateUpdated": "2025-04-16T18:10:28.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41131 (GCVE-0-2022-41131)
Vulnerability from nvd – Published: 2022-11-22 00:00 – Updated: 2025-04-29 15:11
VLAI
Title
Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)
Summary
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Hive Provider |
Affected:
unspecified , < 4.1.0
(custom)
|
|
| Apache Software Foundation | Apache Airflow |
Affected:
2.3.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:35:49.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/27647"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/wwo3qp0z8gv54yzn7hr04wy4n8gb0vhl"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-41131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:11:00.216562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:11:16.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Airflow Hive Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for reporting the issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed)."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://github.com/apache/airflow/pull/27647"
},
{
"url": "https://lists.apache.org/thread/wwo3qp0z8gv54yzn7hr04wy4n8gb0vhl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-41131",
"datePublished": "2022-11-22T00:00:00.000Z",
"dateReserved": "2022-09-19T00:00:00.000Z",
"dateUpdated": "2025-04-29T15:11:16.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}