CVE-2023-34395

27.06.2023, 12:15

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.
In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution.
Starting version 4.0.0 driver can be set only from the hook constructor.
This issue affects Apache Airflow ODBC Provider: before 4.0.0.

Argument Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
apache	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
apache	apache-airflow-providers-odbc	𝑥 < 4.0.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

https://github.com/apache/airflow/pull/31713

https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd

https://github.com/apache/airflow/pull/31713

https://lists.apache.org/thread/l26yykftzbhc9tgcph8cso88bc2lqwwd