CVE-2023-35798

low-risk

Published 2023-06-27

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it. This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1. It is recommended to upgrade to a version that is not affected

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Apache-Airflow-Providers-Microsoft-Mssql

Apache-Airflow-Providers-Odbc

Affected Vendors

Apache

References (4)

Patch https://github.com/apache/airflow/pull/31984

Mailing List https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj

Patch https://github.com/apache/airflow/pull/31984

Mailing List https://lists.apache.org/thread/951rb9m7wwox5p30tdvcfjxq8j1mp4pj

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low