Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user

Vulnerability

Analysis

CVE-2023-37415 is an improper input validation vulnerability in the Apache Airflow Hive Provider, affecting versions prior to 6.1.2. The issue arises because the proxy_user option does not properly sanitize user input, allowing the injection of semicolons. This builds upon a prior vulnerability, CVE-2023-35797, which was patched but left this vector unaddressed [2].

Exploitation

An attacker with the ability to specify the proxy_user value in a Hive connection can inject a semicolon to terminate the intended SQL statement and append additional arbitrary SQL commands. This attack requires some level of access to Airflow (e.g., ability to create or modify connections) but does not require authentication beyond standard Airflow user permissions [2]. The injection occurs because the provider does not adequately validate or escape semicolons before constructing the connection string.

Impact

Successful exploitation could allow an attacker to execute arbitrary SQL commands on the Hive metastore, potentially leading to data exfiltration, modification, or privilege escalation within the Hadoop/Hive environment [3]. The vulnerability is rated moderate severity.

Mitigation

The vulnerability is fixed in Apache Airflow Hive Provider version 6.1.2. Users are strongly advised to update their provider package to this version or later [2]. No workarounds are mentioned; updating is the recommended remediation.