CVE-2023-37415: Apache Airflow Apache Hive Provider Improper Input Validation vulnerability

July 13, 2023 (updated February 13, 2025)

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.

Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon.

This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.

It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.

References

github.com/advisories/GHSA-4q2q-q5pw-2342
github.com/apache/airflow
lists.apache.org/thread/9wx0jlckbnycjh8nj5qfwxo423zvm41k
nvd.nist.gov/vuln/detail/CVE-2023-37415

Code Behaviors & Features

Detect and mitigate CVE-2023-37415 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →