CVE-2023-40195

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Aug 28, 2023
Updated: Sep 1, 2023
CWE ID 829
CWE ID 502

Summary

CVE-2023-40195 is a deserialization vulnerability affecting the Apache Airflow Spark Provider. This issue allows an untrusted user, authorized to configure Spark hooks, to effectively run arbitrary code on an Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this vulnerability was not explicitly noted in the documentation, increasing the risk of unintended authorizations. Administrators are advised to review and restrict Spark hook configuration permissions to fully trusted users to mitigate this threat. For the related documentation warning, please refer to the Apache Airflow Spark Provider connection documentation at <https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html>.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share