Description
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.
References (1)
Core 1
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/n1vpgl6h2qsdm52o9m2tx1oo86tl4gnq
Scores
CVSS v3
7.2
EPSS
0.0046
EPSS Percentile
64.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (2)
apache/airflow_cncf_kubernetes
5.0.0 - 7.0.0
pypi/apache-airflow-providers-cncf-kubernetes
5.0.0 - 7.0.0PyPI
Published
May 30, 2023
Tracked Since
Feb 18, 2026