CVE-2023-34395: Apache Airflow ODBC Provider Argument Injection vulnerability
7.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.38573%
CWE
Published
6/27/2023
Updated
11/10/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| apache-airflow-providers-odbc | pip | < 4.0.0 | 4.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how OdbcHook handled driver parameters before version 4.0.0. The driver property (in odbc.py) previously extracted driver values from connection extras without validation, as shown in the pre-patch code where it checked self.connection_extra_lower.get('driver'). This allowed malicious actors to specify dangerous driver paths through UI-editable connection configurations. The patch added 'allow_driver_extra' checks and warnings, confirming the pre-patch implementation was unsafe. The tests (test_odbc.py) demonstrate that driver extra was previously accepted by default, and the changelog explicitly states constructor enforcement as the mitigation.