cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2023-40195,https://securityvulnerability.io/vulnerability/CVE-2023-40195,Apache Airflow Spark Provider Deserialization Vulnerability RCE,"The vulnerability involves the deserialization of untrusted data in the Apache Airflow Spark Provider, allowing authorized users to execute arbitrary code on the Airflow node by misconfiguring it to interact with a malicious Spark server. Prior to version 4.1.3, this issue wasn’t clearly documented, which may have led administrators to unknowingly grant too much access. It’s crucial that administrators review their configurations and restrict permissions to configure Spark hooks exclusively to trusted individuals, as this can mitigate the risk of exploitation.",Apache,Apache Airflow Spark Provider,8.8,HIGH,0.0012499999720603228,false,,false,false,false,,,false,false,,2023-08-28T08:15:00.000Z,0
CVE-2023-40272,https://securityvulnerability.io/vulnerability/CVE-2023-40272,Apache Airflow Spark Provider Arbitrary File Read via JDBC,"The Apache Airflow Spark Provider prior to version 4.1.3 contains a vulnerability that enables attackers to exploit insecure connection parameters. This flaw may allow unauthorized file access on the Airflow server, potentially leading to unauthorized data exposure and compromise. To mitigate this risk, users are urged to update to a secure version of the software.",Apache,Apache Airflow Spark Provider,7.5,HIGH,0.000590000010561198,false,,false,false,false,,,false,false,,2023-08-17T14:15:00.000Z,0
CVE-2023-28710,https://securityvulnerability.io/vulnerability/CVE-2023-28710,Apache Airflow Spark Provider Arbitrary File Read via JDBC,"An input validation issue exists in the Apache Airflow Spark Provider, affecting versions prior to 4.0.1, which may lead to unauthorized access or manipulation of data. Proper validation mechanisms are crucial to ensure that user inputs do not lead to unintended consequences within the application.",Apache,Apache Airflow Spark Provider,7.5,HIGH,0.001560000004246831,false,,false,false,false,,,false,false,,2023-04-07T15:15:00.000Z,0
CVE-2022-40954,https://securityvulnerability.io/vulnerability/CVE-2022-40954,Apache Airflow Spark Provider RCE that bypass restrictions to read arbitrary files,"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).",Apache,"Apache Airflow Spark Provider,Apache Airflow",5.5,MEDIUM,0.0005799999926239252,false,,false,false,false,,,false,false,,2022-11-22T00:00:00.000Z,0