HIGH🇬🇧 English

CVE-2023-33234

CVSS 7.2v3.1pub. 2023-05-30upd. 2026-07-02

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner.  Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Apache Airflow Providers Cncf Kubernetes

    APP
    Apache
    5.0.0 – 7.0.0 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEContainer
CWE
Referencje

Powiązane podatności

CVE-2026-27173HIGH8.7ten sam produkt

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only acce...

CVE-2023-51702MEDIUM6.5ten sam produkt

Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentic...

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych

CVE-2024-38856CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację

CVE-2024-38475CRITICAL9.1⚠ KEVPL ✓ten sam vendor

Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie