Login Sign Up

CVE-2023-40272

7.5 HIGH

📋 TL;DR

This vulnerability in Apache Airflow Spark Provider allows attackers to inject malicious parameters when establishing connections, potentially enabling file read access on the Airflow server. It affects organizations using Apache Airflow with Spark Provider before version 4.1.3. The vulnerability stems from improper input validation (CWE-20).

💻 Affected Systems

Products:
  • Apache Airflow Spark Provider
Versions: All versions before 4.1.3
Operating Systems: All operating systems running affected Airflow versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Spark Provider functionality to be enabled and accessible.

📦 What is this software?

Apache Airflow Providers Apache Spark by Apache

View all CVEs affecting Apache Airflow Providers Apache Spark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server file system read access leading to credential theft, configuration exposure, and potential lateral movement.

🟠

Likely Case

Limited file read access to directories accessible by the Airflow process, potentially exposing sensitive configuration files and credentials.

🟢

If Mitigated

No impact if proper network segmentation and least privilege access controls are implemented.

🌐 Internet-Facing: HIGH if Airflow web interface is internet-accessible, as attackers could exploit this remotely.
🏢 Internal Only: MEDIUM for internal deployments, requiring attacker access to the Airflow interface or API.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to Airflow connection configuration interface or API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.3

Vendor Advisory: https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtqmw6k1l7

Restart Required: Yes

Instructions:

1. Upgrade Apache Airflow Spark Provider to version 4.1.3 or later using pip: 'pip install --upgrade apache-airflow-providers-apache-spark>=4.1.3'. 2. Restart all Airflow services. 3. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Connection Configuration Access

all

Limit access to Airflow connection configuration interface to trusted administrators only.

Network Segmentation

all

Isolate Airflow servers from sensitive file systems and other critical infrastructure.

🧯 If You Can't Patch

  • Implement strict access controls to Airflow web interface and API endpoints
  • Monitor for suspicious connection configuration changes and file access patterns

🔍 How to Verify

Check if Vulnerable:

Check installed Spark Provider version: 'pip show apache-airflow-providers-apache-spark | grep Version'

Check Version:

pip show apache-airflow-providers-apache-spark | grep Version

Verify Fix Applied:

Verify version is 4.1.3 or higher: 'pip list | grep apache-airflow-providers-apache-spark'

📡 Detection & Monitoring

Log Indicators:

  • Unusual connection parameter configurations
  • File read operations from Airflow process to unexpected paths

Network Indicators:

  • Suspicious API calls to connection configuration endpoints

SIEM Query:

source="airflow" AND (event="connection_modified" OR event="file_access")

📊 Metadata

CVE ID: CVE-2023-40272
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-20
Published: August 17, 2023
Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40272, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)