GHSA-q57w-826p-46jr

Source

https://github.com/advisories/GHSA-q57w-826p-46jr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-q57w-826p-46jr/GHSA-q57w-826p-46jr.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-q57w-826p-46jr

Aliases

CVE-2023-35798

Published

2023-06-27T12:30:42Z

Modified

2023-11-10T05:22:54.664751Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Apache Airflow ODBC Provider, Apache Airflow MSSQL Provider Improper Input Validation vulnerability

Details

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use get_sqlalchemy_connection and someone with access to connection resources specifically updating the connection to exploit it.

This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.

It is recommended to upgrade to a version that is not affected

Database specific

{
    "nvd_published_at": "2023-06-27T12:15:13Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-30T20:26:33Z"
}

References

Affected packages

PyPI / apache-airflow-providers-odbc

Package

Name: apache-airflow-providers-odbc; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow-providers-odbc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.0

Affected versions

1.*

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

1.0.1rc1

1.0.1

2.*

2.0.0rc1

2.0.0rc2

2.0.0

2.0.1rc1

2.0.1

2.0.2rc1

2.0.2

2.0.3rc1

2.0.3

2.0.4rc1

2.0.4

3.*

3.0.0rc1

3.0.0rc2

3.0.0

3.1.0rc1

3.1.0

3.1.1rc1

3.1.1rc2

3.1.1rc3

3.1.1

3.1.2rc1

3.1.2

3.2.0rc1

3.2.0

3.2.1rc2

3.2.1rc3

3.2.1

3.3.0rc1

3.3.0rc2

3.3.0

4.*

4.0.0rc1

PyPI / apache-airflow-providers-microsoft-mssql

Package

Name: apache-airflow-providers-microsoft-mssql; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow-providers-microsoft-mssql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.1

Affected versions

1.*

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

1.0.1rc1

1.0.1

1.1.0rc1

1.1.0

2.*

2.0.0rc1

2.0.0rc2

2.0.0

2.0.1rc1

2.0.1

2.1.0rc1

2.1.0rc2

2.1.0

2.1.1rc1

2.1.1

2.1.2rc1

2.1.2

2.1.3rc1

2.1.3

3.*

3.0.0rc1

3.0.0rc2

3.0.0

3.1.0rc1

3.1.0

3.2.0rc1

3.2.0rc2

3.2.0rc3

3.2.0

3.2.1rc1

3.2.1

3.3.0rc1

3.3.0

3.3.1rc2

3.3.1rc3

3.3.1

3.3.2rc1

3.3.2rc2

3.3.2

3.4.0rc1

3.4.0rc2

3.4.0

3.4.1rc1

Ecosystem specific

{
    "affected_functions": [
        "airflow.providers.microsoft.mssql.hooks.mssql.MsSqlHook.get_sqlalchemy_connection"
    ]
}