CVE-2023-28710 Apache Airflow Spark Provider Arbitrary File Read via JDBC

In all versions of Apache Airflow Spark Provider (the verification version is 4.0.0), because the parameters are not effectively filtered, the attacker can pass in malicious schema parameters (including malicious JDBC url) when establishing a connection with SparkJDBCHook, so that when establishing When connecting, a malicious mysql server can read any file on airflow. this is screenshot of email and ASF response email I submitted ████████████████ ## Impact When airflow does not enable authentication, the attacker can modify the existing connection configuration information, so that the DAG that uses SparkJDBCOperator in the system is running and connected to a malicious mysql server (or other types of servers), and is read by the attacker on the system , and more seriously, attackers can send malicious serialized data, which eventually leads to remote code execution. This deserialization command was not successfully verified because the version of apache-common-collections-3.2.2 used by pyspark is too high, but when the jdk version used by the target system is 7u21 or there are other exploit chains, it can Causes the deserialization command to execute