CVE-2023-28710 — Apache Airflow Spark Provider vulnerable to improper input validation

Description

Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain `/` and `?` which is used to denote the end of the field.

How to fix CVE-2023-28710

To remediate CVE-2023-28710, upgrade the affected package to a fixed version below.

—upgrade to 4.0.1 or later

Is CVE-2023-28710 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-28710
PATCHgithub.com/apache/airflow
WEBgithub.com/apache/airflow/pull/30223
WEBlists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2
WEB