Lucene search
LeixiaoH1:1891795HistoryMar 04, 2023 - 2:59 a.m.
Internet Bug Bounty: RCE vulnerability in apache-airflow-providers-apache-sqoop 3.1.0
2023-03-0402:59:38
leixiao
hackerone.com
$2400
199
internet bug bounty
remote code execution
apache sqoop
arbitrary system commands
EPSS
0.002
Percentile
58.0%
In airflow.providers.apache.sqoop.hooks.sqoop.SqoopHook._prepare_command, users can control -libjars through libjars in Connection. -libjars makes sure each MR task gets these jars in classpath, So I can set this as a malicious Jar package, causing arbitrary system commands to be executed on the machine performing the MR task.
This is a screenshot of my email reporting this vulnerability
āāāāāāāāāā
Impact
Remote Code Execution
Related
osv
osv
Apache Airflow Sqoop Provider Improper Input Validation vulnerability
2023-02-24 12:31:20
CVE-2023-25693
2023-02-24 12:15:30
cvelist
cvelist
cnvd
cnvd
Apache Airflow Sqoop Provider Input Validation Error Vulnerability
2023-02-28 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2023-02-28 07:56:03
cve
cve
CVE-2023-25693
2023-02-24 12:15:30
prion
prion
Input validation
2023-02-24 12:15:00
github
github
Apache Airflow Sqoop Provider Improper Input Validation vulnerability
2023-02-24 12:31:20
nvd
nvd
CVE-2023-25693
2023-02-24 12:15:30