Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server.
It is recommended to upgrade to a version that is not affected.

Affected Packages

PyPI apache-airflow-providers-apache-spark

Affected versions: 0 (fixed in 4.1.3)

Related CVEs

CVE-2023-40272

Key Information

GHSA ID

GHSA-r2f6-6928-fh8f

Published

August 17, 2023 3:30 PM

Last Modified

February 13, 2025 7:10 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow-providers-apache-spark

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.