Miggo Logo
Miggo Vulnerability Database
CVE-2023-28710

CVE-2023-28710:
Apache Airflow Spark Provider vulnerable to improper input validation

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-28710
GHSA ID
GHSA-ffj9-4crc-q7wf
EPSS Score
0.48635%
CWE
CWE-20
Published
4/7/2023
Updated
4/14/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflow-providers-apache-sparkpip< 4.0.14.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation in JDBC URL construction. The GitHub PR #30223 explicitly adds validation for 'host' and 'schema' fields, targeting the JDBC Hook. The functions responsible for handling connection parameters and URL assembly (get_connection and build_jdbc_url) would be the logical points where unsanitized inputs were used. The CVE description and patch context confirm these components were modified to address the issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** So*tw*r* *oun**tion *p**** *ir*low Sp*rk Provi**r ***or* *.*.* is vuln*r**l* to improp*r input v*li**tion ****us* t** *ost *n* s***m* o* J*** *ook **n *ont*in `/` *n* `?` w*i** is us** to **not* t** *n* o* t** *i*l*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion in J*** URL *onstru*tion. T** *it*u* PR #***** *xpli*itly ***s v*li**tion *or '*ost' *n* 's***m*' *i*l*s, t*r**tin* t** J*** *ook. T** *un*tions r*sponsi*l* *or **n*lin* *onn**tion p*r*m*t*rs *n* URL *